On May 12, 2017, over 300,000 Windows computers in 150 countries fell victim to the WannaCry ransomware attack, which used the NSA-developed EternalBlue exploit to hold these machines hostage. Half a year later, the US officially attributed the attack to North Korea, asserting that the virus contained “lines of code that are identical to work by hackers known as the Lazarus Group.” This North Korean APT remains active and formidable; their focus currently lies on espionage and financial gain. The money is then used for “weapons of mass destruction and ballistic missile programs” (CISA), heightening the threat that North Korea poses to the rest of the world. This post will discuss the structure and motivations of the Lazarus Group.
North Korean cybercrime is an incredibly unique APT, particularly because of its structure. The tight control of DPRK authoritarian leadership has led many to treat all North Korean cybercrime as a single entity. Bureau 121 is known to house most of their state-sponsored cyberattack initiatives, and it is unknown whether or not the infamous Lazarus group operates independently or in coordination with Bureau 121. However, researchers use various labels, including Lazarus Group, Hidden Cobra, APT38, and BlueNoroff, to refer to North Korean cybercrime threats as a whole.
North Korea has a distinct lack of technological infrastructure, and only a select few– about one percent– have permission to access the internet. Therefore, any cybercrime that comes from North Korean citizens is likely fully controlled by the government, which supports the practice of regarding North Korean cybercrime as a single general threat. The North Korean government provides their “cyberwarriors” with vast resources, intensive training, and an aggressive agenda, making them extremely dangerous to companies and other nation-states.
John C. Demers, a US official, referred to the group as a “criminal syndicate with a flag.” North Korea has been engaging in criminal activities for decades– this is simply their newest initiative. Between 2014 and 2017, three major attacks caused the rest of the world to wake up to the North Korean cyber threat: the Sony Pictures hack, the Bangladeshi bank robbery, and WannaCry. Since then, Lazarus has continued to wreak havoc on a multitude of victims.
According to Chong Woo Kim and Carolina Polito (researchers at the Asan Institute for Policy Studies), the motivations shown by North Korea over time are defined by three phases: one is focused on cyber disruption and DDoS attacks, the second is focused on espionage, and the third is focused on financial gains. Currently, we are in the financially-focused phase, although espionage attacks remain common.
The rise in financially-focused cyberattacks can be attributed to the rise of sanctions against North Korea, as well as the impact of COVID-19. In 2020, North Korea “substantially increased security along its northern border” with China, their largest trading partner, dealing a huge blow to their own economy (Human Rights Watch). The high uptick in ransomware coincides with the growth of cryptocurrency, which offers anonymity to the hackers and eases money laundering. However, its recent volatility has made it much more difficult to obtain reliable gains. The increase in sanctions, high success rate of ransomware, and the rise of volatile but anonymous cryptocurrency has led to North Korea increasing the frequency and intensity of their attacks.
Espionage, the other largest motivation for North Korean cybercrime, can be used for political purposes, such as military intelligence gathering and infiltration of vital industries. Although researchers Kim and Polito argue that the main goal of cyberattacks has shifted towards financial gain, espionage tactics have not slowed according to CISA statistics, and there may be espionage malware hidden (or lying dormant) in critical and governmental infrastructure throughout the world. This does not necessarily mean that North Korea will be able to disrupt or shut down this infrastructure, but it should be assumed that they have a salient hold on our systems.
North Korea’s unique system of strict government control has led to a tightly regulated and state-supported cybercrime capacity which is a threat not only to governments, but also to any company that could become a source of revenue. It is crucial for both public and private sectors to prioritize cybersecurity as a proactive measure against falling victim to this APT.
By integrating over 850 different threat intelligence feeds, ThreatSTOP provides comprehensive protection from the Lazarus Group. As new indicators of compromise are discovered, they are swiftly added to our system and propagated to blocklists and policies on all ThreatSTOP-protected networks. Users can also block North Korea as a whole, with geo-based IP and Domain blocklists.
Not a ThreatSTOP customer yet? Want to see how ThreatSTOP can instantly eliminate attacks on your network, including nation-state attacks and North Korea, or how it can effectively grow your MSP services?
Interested in learning more about North Korean cyber threats? See the next blog post in this series here.