Lazarus Group Attack Identified After Operational Security Fail

Written by

A ransomware attack on targeted research, medical and energy sector organizations has been attributed to North Korea's advanced persistent threat (APT) Lazarus Group after the threat actor committed an "operational security mistake."

Writing in an email to Infosecurity, WithSecure has said that after investigating the attack, the team linked it to a broader intelligence-gathering operation.

"While this was initially suspected to be an attempted BianLian ransomware attack, the evidence we collected quickly pointed in a different direction," explained WithSecure senior threat intelligence researcher Sami Ruohonen.

"As we collected more evidence, we became more confident that the attack was conducted by a group connected to the North Korean government."

According to the team, the new campaign highlighted several "noteworthy developments" compared to previous Lazarus Group activity.

These included the use of new infrastructure, such as the exclusive use of IP addresses with no domain names, a modified version of the Dtrack backdoor and a novel variant of the Grease malware.

As for the operational security mistake mentioned by WithSecure, the team said the attacker used one out of a 1000 IP addresses belonging to North Korea that was observed connecting to an attacker-controlled web shell.

"In spite of the opsec fails, the actor demonstrated good tradecraft and still managed to perform considered actions on carefully selected endpoints," warned Tim West, head of threat intelligence at WithSecure.

"Even with accurate endpoint detection technologies, organizations need to continually consider how they respond to alerts, and also integrate focused threat intelligence with regular hunts to provide better defense in depth, particularly against capable and adept adversaries."

Attackers managed to reportedly exfiltrate 100GB of data, but WithSecure said they took no destructive action by the point of disruption.

More information about the attack and the malware used is available in a complete advisory published by WithSecure earlier today.

The technical write-up comes weeks after the FBI confirmed Lazarus Group was behind last year's $100m theft from cryptocurrency firm Harmony.

What’s hot on Infosecurity Magazine?