Lazarus Hacking Group Set IT Supply Chain Attacks in Motion

North Korean-backed Lazarus hacking group that inclines to infiltrate the military has now shifted its focus on new targets. It has embarked on a journey of expanding its IT supply chain attack capabilities. In this regard, researchers at cybersecurity company Kaspersky have recently claimed that the Lazarus group breached a South Korean think tank in June. In the previous month of May, the same group breached a Latvian IT vendor. Kaspersky researchers state that the group has built IT supply chain capabilities with an upgraded DeathNote malware cluster. It refers to leveraging a new variant of the BlindingCan backdoor in these attacks. For the sake of your information, BlindingCan is the North Korean Remote Access Trojan (RAT).


Get our specialized digital forensics services to discover the root cause of your case. Remember, it is essential to gather information and evidence to follow legal action after containing a threat.


Leveraging Multi-Platform MATA Framework for Cyberespionage

Lazarus hacking group – the advanced persistent threat (APT) group – conducts IT supply chain attacks through its multi-platform MATA framework. For the record, such MATA malware framework contains the potential to target three operating systems, namely Linux, Windows, and macOS. Historically, cybercriminals have used MATA to spread ransomware and exfiltrate customer databases in several industries. Nevertheless, Kaspersky research discovered in June that the APT group was leveraging MATA for cyberespionage.

Dissecting Recent IT Supply Chain Attacks by Lazarus

The first IT supply chain attack conducted by Lazarus involved a network of a South Korean security vendor. The group has exploited the company’s software to deploy two Remote Access Trojans on a South Korean think tank network. One of them is BlindingCan, whereas the other one is Copperhedge. Along similar lines, the CISA (Cybersecurity and Infrastructure Security Agency) had issued separate alerts last year. One dates back to May 12, 2020, while the other goes back to August 19, 2020. It raised a warning that the Lazarus group was using the two Remote Access Trojans (RATs) to keep a presence on compromised networks. In addition, it also warned that the group was utilizing BlindingCan to drain intelligence off military and energy outfits.

In the second attack, the group had targeted an IT company that develops asset monitoring solutions in Lativa. This time, the APT group had deployed the Copperhedge backdoor on the network of the technology provider. According to Ariel Jungheit, the group conducted the attack in a careful multi-stage process through two layers of multiple command and control servers. Keep in mind that he is a senior security researcher at Kaspersky.

The Mystery about the BlindingCan Backdoor

CISA and FBI had initially identified the BlindingCan backdoor used in the IT supply chain attacks conducted by the Lazarus group. They discovered that it contains the potential to escape the compromised system for achieving numerous functions. It includes evading detection, spawning & killing processes, exfiltrating data, and tampering with file and folder timestamps.

Beginning Of the Lazarus Group

The researchers claim that the advanced persistent threat group has been active since nearly 2009. It is a group that has participated in several large-scale cyberespionage and ransomware campaigns. The group has also indulged in attacking the cryptocurrency market and defense industry, according to researchers. Kaspersky researchers also believe the group contains a wide range of advanced tools. Currently, they are applying them to new goals.

Among several attacks against the military, researchers have found one of its campaigns in July this year. The APT group was spreading malicious documents to job-hunting engineers by disguising themselves as defense contractors seeking job candidates. Before that, researchers linked a 2020 spear-phishing campaign to advanced persistent threats. The group stole critical information from defense companies by using an advanced malware known as ThreatNeedle.

The Final Word

The senior security researcher expressed in the summary that the new revelations indicate Lazarus is still keen on penetrating the defense industry. Furthermore, it is attempting to expand into IT supply chain attacks. Hence, staying vigilant and ensuring proactive security is the only way to deal with threat actors investing in such capabilities. Without question, IT supply chain attacks can break the trust in the relationship between your company and your customers.