Lazarus Hacking Group Now Focusing on IT Supply Chain Attacks
Researchers Noticed that Lazarus Has Been Conducting Two Different Supply Chain Attack Operations.
Lazarus Group, the Advanced Persistent Threat (APT) hacking group linked to the North Korean government, has shifted its attention to new targets, with cybersecurity researchers noticing that the actor is expanding its supply chain attack capabilities.
As per Kaspersky’s Q3 2021 APT trends report, the APT hacking group deployed the backdoor dubbed BLINDINGCAN to attack a think tank located in South Korea in June after using it to breach an IT asset monitoring solution vendor based in Latvia in May.
In the first case discovered by Kaspersky researchers, Lazarus developed an infection chain that stemmed from legitimate South Korean security software deploying a malicious payload.
In the second case, the target was a company developing asset monitoring solutions in Latvia, an atypical victim for Lazarus.
The same report shows that Lazarus also deployed North Korean Remote Access Tool COPPERHEDGE using the BLINDINGCAN malware. The APT group previously used this RAT when attacked crypto exchanges and other similar businesses.
With the help of this backdoor, its developers are able to carry out system reconnaissance functions, execute arbitrary commands on compromised machines, and exfiltrate stolen information.
The backdoor known as BLINDINGCAN was discovered by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation.
According to the agencies, the backdoor is able to remove itself from infected networks in order to avoid being noticed, steal information data, initiate and terminate processes, and interfere with document and folder timestamps.
Who Is Lazarus Group?
The hacking group, also known as Lazarus Group, APT38, Zinc, or HIDDEN COBRA, is a cybercrime gang that has strong connections to North Korea. It is believed to have been around since at least 2009, with the gang’s first attack known as “Operation Troy”.
The hackers are notorious for some of the most important cyberattacks in recent history. It is believed that they were behind the 2014’s Sony Films incident and also that they were connected to the theft of US$81 million from the Central Bank of Bangladesh that occurred in 2016.
According to security experts, Lazarus was also responsible for the WannaCry ransomware operation.
In April, we were writing about a Google’s Threat Analysis Group research showing that the North Korean state-sponsored operation has set up a fake security company and social media accounts as part of a broad campaign targeting cybersecurity researchers. The used malware was linked to the Lazarus Group.
The same month, we found out that the Lazarus group has targeted the defense industry with malware dubbed ThreatNeedle since early 2020 with the ultimate purpose of nabbing classified information.
They have also used COVID19-themed spear-phishing emails with malicious attachments or links as the initial access vector to the companies’ enterprise network. Once the document is opened, ThreatNeedle is installed, allowing the attacker to obtain full control of the victim’s device, manipulate it and remotely execute commands.
A few months ago, researchers at Kaspersky noticed that the APT hacking group used the MATA malware framework in cyber-espionage operations. According to them, MATA can strike Windows, Linux, and macOS operating systems.
According to BleepingComputer, the hackers used the MATA malware last year to deploy ransomware and steal information.
These recent developments highlight two things: Lazarus remains interested in the defense industry and is also looking to expand its capabilities with supply chain attacks.
When carried out successfully, supply chain attacks can cause devastating results, affecting much more than one organization – something we saw clearly with the SolarWinds attack last year.
As mentioned by BleepingComputer, DPRK-sponsored hacking groups including Lazarus, Bluenoroff, and Andariel were sanctioned by the U.S. Treasury in 2019.
Those who have information on the threat actor’s activity and help disrupt it or locate them will be rewarded with $5 million by the U.S. government.