North Korean Lazarus APT Targets Software Supply Chain

A notorious North Korean APT group has been observed compromising the software supply chain, in campaigns reminiscent of the attacks on SolarWinds and Kaseya, according to Kaspersky.

Lazarus infected legitimate South Korean security software to deploy a malicious payload to target a think tank in the Asian country, researchers explained. 

Used in the attack was an updated version of its BLINDINGCAN remote access Trojan (RAT) previously covered by the US authorities and a second RAT, dubbed COPPERHEDGE.

A second campaign saw Lazarus first target a Latvian IT asset monitoring solutions provider. Although it’s unclear whether there were any downstream victims, the attack involved using a downloader dubbed “Racket,” which was signed using a stolen certificate. Additionally, multiple vulnerable web servers were reportedly compromised at the firm, and malicious scripts were uploaded to control implants on breached machines.

Kaspersky also noted a renewed interest by Lazarus in the defense industry. In June, it spotted cyber-espionage attacks using the MATA framework, which works across three operating systems — Windows, Linux and macOS.

The attacks involved trojanized versions of apps in heavy use by the victim organizations, Kaspersky said.

“These recent developments highlight two things: Lazarus remains interested in the defense industry and is also looking to expand its capabilities with supply chain attacks,” said Ariel Jungheit, a senior security researcher at Kaspersky.

“When carried out successfully, supply chain attacks can cause devastating results, affecting much more than one organization – something we saw clearly with the SolarWinds attack last year. With threat actors investing in such capabilities, we need to stay vigilant and focus defense efforts on that front.”

A BlueVoyant report from earlier this month claimed that 93% of global organizations had suffered a direct breach via their supply chains over the past year. In fact, the number of breaches of this type surged by 37% from the previous year, it claimed.

What’s Hot on Infosecurity Magazine?