The Lazarus Group Used Custom Malware to Target Defense Industry
The North Korea-linked threat actor expands to stealing defense secrets.
After having a busy 2020, it seems that 2021 is going to be at least as equally productive for the North Korean Lazarus group. Considered one of the most dangerous hacking groups at the moment, they have targeted the defense industry with malware dubbed ThreatNeedle since early 2020 with the ultimate purpose of nabbing classified information.
Active since at least 2009, Lazarus has also been linked to ransomware campaigns, cyber espionage, and cryptocurrency business attacks. They have also used COVID19-themed spear-phishing emails with malicious attachments or links as the initial access vector to the companies’ enterprise network. Once the document is opened, ThreatNeedle is installed, allowing the attacker to obtain full control of the victim’s device, manipulate it and remotely execute commands.
Kaspersky researchers Vyacheslav Kopeytsev and Seongsu Park stated that this is how Lazarus first gained an initial foothold. What is most concerning is that they observed how the hackers were able to bypass at least one unnamed organization’s network segmentation protections.
The network was split between corporate and restricted segments, and the company operated under a strict internal policy of not exchanging information across the two segments.
While ThreatNeedle may initially like the average malware, it’s actually much more serious than that. It is capable of jumping between Internet-facing office networks and restricted access operational technology (OT) networks where crucial hardware lives.
Additionally, ThreatNeedle helped Lazarus to move laterally throughout the defense organizations’ networks and collect sensitive data that got exfiltrated using a custom tunneling tool to remote compromised South Korean servers. What’s more, this backdoor allowed them to go past network segmentation and gain access to restricted networks with business-critical devices that didn’t have Internet access, the Kaspersky report states.
After gaining an initial foothold, the attackers gathered credentials and moved laterally, seeking crucial assets in the victim environment. We observed how they overcame network segmentation by gaining access to an internal router machine and configuring it as a proxy server, allowing them to exfiltrate stolen data from the intranet network to their remote server.
The hackers took control of administrators’ workstations, installed malicious gateways, and stole documents and data from both office IT networks (devices used for storing business and customer info) and restricted networks, where classified data was being stored and managed.
Although mainly known for targeting worldwide financial institutions, the Lazarus group switched its focus to defense industry organizations in early 2020, when this campaign began. The hackers repurposed their ThreatNeedle malware for the sole purpose of stealing sensitive data as part of targeted espionage attacks.