What is the first thing that comes to your mind when asked what techniques does North Korea use to threaten its ideological enemies? You would probably spit out two words without hesitation – nuclear program. But there is a more a subtle threat, that is not spoken about outside professional circles. An award for the real damage done could be granted to the state-sponsored group of cyber-attackers, named Lazarus by threat intelligence security researchers. Threat intelligence security researchers can offer state-sponsored cyber attackers an award for the real damage they may cause.
One of the main goals of the APT 38 a.k.a. Lazarus, or Hidden Cobra, is to raise money for North Korea to fund their weapons program. This is often done by pulling bank heists and stealing cryptocurrency from exchanges. Ransomware attacks are another source of their income. The group is also linked with the infamous WannaCry campaign back in 2017.
The Coronavirus crisis in the spring of 2020 was a particularly fruitful time for Lazarus group. A few malware spreading campaigns were initiated. One of the campaigns tagged as Flash Cobra was active from March to May. Lazarus took part in social engineering attacks along with its branch group Kimsuky. Their goal was to exfiltrate confidential military information. Lazarus (marked as RGB-D3) aimed for aerospace and defense companies in USA, Great Britain, Israel and India, while Kimsuky (RGB-D5) targeted companies producing artillery technology and armored vehicles. Their victims compromised of companies located in South Korea, Russia, Ukraine, Turkey, as well as Slovakia.
The Daily TRUTH – LIFARS’ New and Innovative Cyber Defense Solution
As the pandemic grows, threat actors are taking advantage of businesses and organizations. LIFARS offers daily proactive threat hunt of potential threats living on your network.
The attacks were launched using various forms of spear phishing campaigns. Following economic difficulties of Boeing, Lazarus targeted the company’s staff with emails offering jobs. Compromised accounts were used to launch further attacks on selected governmental employees with intent to exfiltrate sensitive information. Attacks on Otokar and South Korean companies contained crafted malicious mail servers pretending to be of the targeted victims. The attackers also used malicious documents , pretending to be job description documents from Lockheed Martin Aeronautics Integrated Fighter Group and BAE Systems.
The malicious documents were supposed to download another document with macro. If the malicious document is opened a macro is installed in the background of the victim’s computer. This macro containing malware then scans the victim’s system parameters and SQLite databases to extract valuable information. The data is then sent to C2 server by a POST request in a header of the predefined profile in used web browser.
Operation Flash Cobra was just one of many campaigns of APT 38, detected by security experts around the world. The spring of 2020 was really a profitable time for North Korean interests and Lazarus keeps evolving into one of their most dangerous weapons.
Our Cyber Resiliency Team will simulate a real phishing attack to your organization and based on the results collected and our in-depth analysis of the company email system (encryption, protocols, filters, etc.), we will help optimize the system to increase the overall security posture to help keep cybercriminals from entering your network.
Additional Resources For You