Gruppo Lazarus
The Lazarus Group is a North Korean state-sponsored Advanced Persistent Threat (APT) group.
The Origin of the Lazarus Group
The Lazarus group has been active since around 2009, with its first major operation known as 'Operation Troy'. They are responsible for several high-profile cyberattacks, including the 2014 Sony Pictures hack, the 2016 Bangladesh Bank heist, and the 2017 WannaCry ransomware attack.
Unlike many state-sponsored groups, Lazarus is highly financially motivated, conducting bank heists and cryptocurrency thefts to support North Korea's economy.
According to MITRE, North Korean threat group definitions often overlap significantly. Some security researchers categorize all North Korean state-sponsored cyber activity under the Lazarus Group name, rather than distinguishing between specific clusters or subgroups like Andariel, APT37, APT38, and Kimsuky.
The group used the name of Guardians of Peace for the Sony hack but is also known by other names such as Hidden Cobra (by the US Department of Homeland Security and the FBI), ZINC, NICKEL ACADEMY, Diamond Sleet (by Microsoft) and Labyrinth Chollima (by Crowdstrike).
Countries targeted by Lazarus
The group's operations have been traced globally, with confirmed activity in the United States, South Korea, India, Bangladesh, and the broader Asia-Pacific region. They have also targeted entities in Europe and the Middle East. Lazarus is known for targeting countries involved in economic sanctions or diplomatic disputes with North Korea.
Industries targeted by the Lazarus Group
Lazarus Group has shown a diverse targeting profile, including government agencies, financial institutions, defense contractors, cryptocurrency exchanges, and media companies. Their motivations vary from political espionage to financial theft, with a focus on sectors that can either generate funds for the North Korean regime or yield sensitive information.
Lazarus' Victims
Notable victims include Sony Pictures (2014), Bangladesh Bank (2016), and various cryptocurrency exchanges. Their activity in the financial sector, particularly through the use of destructive malware and heists, has caused millions in damages. The group has also conducted cyber espionage campaigns against South Korean institutions.
Lazarus Group's Attack Method
Lazarus frequently uses spear-phishing campaigns to gain initial access, often employing malicious attachments or links that deliver custom malware.
After gaining access, they deploy tools such as rootkits or custom malware to elevate privileges and move deeper into networks.
The group is adept at evading security measures using techniques like disabling security software, leveraging stolen certificates, or exploiting zero-day vulnerabilities.
Lazarus uses keyloggers, credential-dumping tools, and exploits to gather user credentials, often targeting high-privilege accounts.
Once inside a system, they perform network reconnaissance to identify critical systems and data repositories using built-in commands and tools like PowerShell.
Lazarus moves laterally across networks using valid credentials, remote desktop protocols (RDP), or exploiting trust relationships between systems.
Sensitive data is often collected through tools like file-sharing services or malware with custom exfiltration capabilities, targeting financial data, cryptocurrency wallets, and confidential documents.
The group uses custom backdoors, such as Manuscrypt and Destover, to execute commands remotely and maintain persistence.
Stolen data is exfiltrated using compromised web servers, FTP servers, or encrypted communications channels to ensure that the information reaches their command and control infrastructure.
In financial operations, Lazarus often disrupts systems post-theft, using wiper malware to cover their tracks. They have been involved in ransomware campaigns and data destruction, further amplifying the impact on their victims.
Lazarus frequently uses spear-phishing campaigns to gain initial access, often employing malicious attachments or links that deliver custom malware.
After gaining access, they deploy tools such as rootkits or custom malware to elevate privileges and move deeper into networks.
The group is adept at evading security measures using techniques like disabling security software, leveraging stolen certificates, or exploiting zero-day vulnerabilities.
Lazarus uses keyloggers, credential-dumping tools, and exploits to gather user credentials, often targeting high-privilege accounts.
Once inside a system, they perform network reconnaissance to identify critical systems and data repositories using built-in commands and tools like PowerShell.
Lazarus moves laterally across networks using valid credentials, remote desktop protocols (RDP), or exploiting trust relationships between systems.
Sensitive data is often collected through tools like file-sharing services or malware with custom exfiltration capabilities, targeting financial data, cryptocurrency wallets, and confidential documents.
The group uses custom backdoors, such as Manuscrypt and Destover, to execute commands remotely and maintain persistence.
Stolen data is exfiltrated using compromised web servers, FTP servers, or encrypted communications channels to ensure that the information reaches their command and control infrastructure.
In financial operations, Lazarus often disrupts systems post-theft, using wiper malware to cover their tracks. They have been involved in ransomware campaigns and data destruction, further amplifying the impact on their victims.
How to Detect Lazarus with Vectra AI
Domande frequenti
What is Lazarus Group known for?
Lazarus Group is known for cyber-espionage and large-scale financial theft, including the 2014 Sony Pictures attack and the 2016 Bangladesh Bank heist.
What motivates the Lazarus Group?
Their activities are driven by North Korean state interests, including political retaliation, espionage, and generating financial resources through illicit activities.
How does Lazarus gain initial access to target systems?
They frequently use spear-phishing campaigns with malicious attachments or links to deliver malware.
What sectors are commonly targeted by Lazarus?
Lazarus targets financial institutions, cryptocurrency exchanges, media companies, and government agencies.
What malware tools are associated with Lazarus Group?
They are associated with tools like Manuscrypt, Destover, and various custom backdoors and wipers.
What makes Lazarus Group difficult to detect?
Lazarus uses advanced defense evasion techniques, such as disabling security software, obfuscating malware, and using encrypted communication channels.
What role does Lazarus play in financial crimes?
The group is involved in stealing money from banks and cryptocurrency platforms, as well as conducting ransomware and destructive attacks to extort victims.
How can organizations detect Lazarus Group activities?
Organizations should monitor for known TTPs, such as abnormal application-layer protocols, suspicious use of valid accounts, and unusual credential access activity.
What are some defensive measures to counter Lazarus Group?
Implementing multi-factor authentication (MFA), strong network segmentation, timely patching of vulnerabilities, and advanced threat detection tools can mitigate their attacks.
Has Lazarus Group been involved in ransomware attacks?
Yes, they have deployed ransomware in some of their campaigns to maximize financial gain and disrupt victims' operations.