Photo by Morrowind/Shutterstock.com
Lazarus hacking group, also known as APT 38 is a North Korean state-sponsored hacking group that has resurfaced with the recent $600 million theft from the Axie Infinity linked Ronin-bridge.
The group is known for pulling off financially motivated heists. Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Based on Widely publicised information, the group has attempted to steal more than $1.1 Billion according to a report by Mandiant in 2018. Since then, the total damages have only increased.
What really sets Lazarus or APT38 apart is the financial motivation, unique toolsets, tactics, techniques and procedures that set them apart from other North Korean cyber activity. The group is believed to operate more like an espionage operation, conducting careful recon and compromise of financial institutions as well as balancing their financial objects with learning about the internal systems of their targets.
The group was also behind the infamous WannaCry ransomware attack that hit around 230,000 computers in 150 countries causing around $4 billion in damages. A third of NHS hospitals were impacted by the attack, costing £92 million in losses after 19,000 appointments were cancelled as a result of the attack.
Group is believed to be operating in two parts:
BlueNorOff is the main financially motivated branch of the group that’s responsible for the majority of their financial heists. The arm is dubbed APT38 by Mandiant and Stardust Chollima by Crowdstrike.
According to a 2020 report by the U.S Army, the branch has about 1700 members. It usually targets financial institutions and more recently cryptocurrency exchanges. BlueNorOff is the branch responsible for pulling off the infamous 2016 Bangladesh Bank robbery where they tried to use the SWIFT network to steal close to $1 billion from the bank. The group nearly succeeded, causing $81 million in damages to the bank.
The second, more stealthy branch of the group focuses on infiltrating South Korea with targets including government, defence and any other economical assets, however, the group has been known to target other governments as well. The same 2020 U.S Army report puts the headcount close to 1600.
Here are some of Lazarus’ past attacks.
|Date of attack||Target(s)||Damages|
|November 2014||Sony Pictures||$8 million|
|February 2016||Bangladesh Bank||$81 million|
|May 2017||Multiple targets globally||$4 billion|
230,000 computers affected
|January 2017-October 2018||Multiple Crypto exchanges||$571 million|
|November 2018||Multiple Asian, African countries||$10 million+|
|September 2019||Kudankulam Nuclear Power Plant, India||–|
|September 2020||KuCoin||$275 million|
|2021||At least seven different crypto exchanges||$400 million|
|January 2022||Windows Update Client||–|
|March 2022||Ronin bridge||$625 million|
|April 2022||Multiple crypto exchanges||–|
General Attacking Pattern
Lazarus’ attacks generally follow the following attack pattern:
- Information gathering
- Initial Compromise
- Internal recon
- Pivot to the victim server
- Transfer funds
- Destroy Evidence
The group often targets accounts that can enable further access to targeted organisations. These could be employees at a target bank or crypto exchange or higher working executives whose credentials might prove useful when carrying out the attack later.
While attack vectors vary from victim to victim and are largely based on the type of security a particular victim has, the group often relies on watering hole attacks to gain initial access to at least some of its targets. In at least one instance, the group also exploited an insecure outdated version of Apache Struts2 to execute malicious code on a target system.
Once inside the network, the group usually deploys malware to gather credentials and map the network. On average, Mandiant observed that APT38 remains within a network for about 155 days. The longest compromised victim is believed to be 678 days.
Pivot to target servers
Once installation of recon malware and internal network monitoring tools is complete, the group deploys active and passive backdoors on target networks (mostly SWIFT) at the target organisations
After gaining access to the target servers, the group uses malware allowing it to insert fraudulent SWIFT transactions and change transaction history. Funds are usually transferred to accounts et up in other banks, mostly in other countries, especially with negligible oversight.
After completing the transfers, the group deletes logs and files using non-public malware. There have been instances of the group deploying and executing disk-wiping malware to get rid of any evidence as well. The group has also been known to use publicly available ransomware on the target organisation’s systems to delay SWIFT investigations and destroy any leftover activity.
Using malicious cryptocurrency apps
The CISA, FBI and the U.S Treasury department issued a warning on April 18 warning that the group was targeting organisations in the crypto and blockchain industries by using trojanised crypto applications and social engineering attacks to trick employees into downloading and running malicious Windows and macOS cryptocurrency apps. This is an ongoing attack at the time of writing.
Ronin, a sidechain connected to the main Ethereum blockchain was in late March in one of the biggest crypto hacks to date causing the platform a loss of about $625 million in USDC and Ethereum. The attack affected Ronin validator nodes for Sky Mavis, publishers of the Axie Infinity game and the Axie DAO.
The U.S Department of Treasury later alleged that the North Korean group was behind the attack and added an Ethereum address linked with the group to its sanctions list.
Using Windows Update to deploy malware
In January 2022, the group added the Windows Update Client to its list of living-off-the-land binaries and exploited it to run malicious code on Windows systems. The deployment method was discovered by the Malwarebytes Threat Intelligence team during their analysis of a spearphishing campaign impersonating American aerospace company Lockheed Martin.
At least seven different crypto exchanges targeted in 2021
According to a report by Chainanalysis, Lazarus hit at least seven different cryptocurrency platforms in 2021 extracting nearly $400 million in digital assets. The attacks primarily targeted investment firms and centralised exchanges using phishing, code exploits, malware and advanced social engineering attacks.
On September 25, 2020, the Lazarus group stole more than $275 million from KuCoin. The stolen funds included the following.
- 1,008 BTC
- 11,543 ETH
- 19,834,042 USDT-ETH
- 18,495,798 XRP
- 26,733 LTC
- 999,160 USDT
- $87 million worth of Stellar Tokens
- $147 million worth of ERC-20 Tokens
Indian Kudankulam Nuclear Power Plant hacked
In September 2019, the Nuclear Power Corporation of India Limited acknowledged that malware attributed to North Korean State actors was found in the administrative network of the Kudankulam Nuclear Power Plant.
The malware in question was named Dtrack and had been previously used in attacks against financial and research centres based on Kaspersky data collected from about 180 samples. The malware shared its code with other malware attributed to Lazarus.
Multiple ATMs in Asian and African countries hacked
In September 2018 Lazarus launched an operation called FASTCash which enabled the group to fraudulently empty ATMs of cash in multiple Asian and African countries. The operation worked by breaching the targeted banks’ networks and compromising the switch application servers handling ATM transactions.
Multiple crypto exchanges hacked for $571 million
Since January 2017, Lazarus was behind 14 hacking attacks on different cryptocurrency exchanges, costing nearly $571 million in damages. The group targeted these exchanges using spear phishing, social engineering and malware.
Spear phishing was the main attack vector for corporate networks. Threat actors delivered malware by disguising it under CV spam with an attachment that carried the malware.
Wannacry Ransomware saga
One of Lazarus’ most notorious attacks, the Wannacry ransomware attacks hit around 230,000 computers in over 150 countries worldwide. The attack began on May 12, 2017, with the first infection coming from Asia. It used a Windows exploit and was wormable in nature, meaning it could spread through networks rather quickly.
A third of NHS hospital trusts were hit by the attacks with ambulances being reportedly rerouted. The NHS lost £92 million and 19,000 appointments were cancelled due to hospital computers not being in an operable state. The ransomware is estimated to have cost nearly $4 billion in global damages.
Bangladesh Bank heist
In February 2016, the Lazarus group broke into Bangladesh’s central bank and got away with nearly one billion dollars. The hackers broke into the bank, which had no firewalls and were using a second-hand, unmanaged network switch and started transferring funds to bank accounts in the Philippines and Sri Lanka.
Later investigation by British defence company BAE Systems showed that the SWIFT software at the bank was compromised, allowing the hackers to get away with sending money internationally without leaving a trace in Bangladesh.
In the end, the attackers got away with $81 million in four separate transactions. The hack was detected when a hacker made a typo while attempting to transfer $20 million to a Sri Lankan NGO called Shalika Foundation, typing it as Shalika ‘Fandation’ instead. The typo raised concerns at Deutsche Bank. When the bank staff tried to verify this with the Bangladesh Bank, the hack was discovered and the remaining transfers were cancelled.
Sony Pictures hack
Lazarus’ first big attack was on Sony Pictures where the company’s computers were targeted by the wiper malware which erased all data on the infected computers and connected servers. The attackers called themselves the “Guardians of Peace” and then over the course of several weeks, posted waves of files stolen from Sony computers including five Sony movies, four of which were unreleased to file-sharing networks.
Other leaked documents included thousands of confidential documents including private messages between Sony executives and salary and performance data on Sony employees. The attackers also demanded that Sony takedown “The Interview” a movie about a couple of journalists who travel to North Korea to assassinate Kim Jong Un. Sony later ended up paying $8 million to settle a lawsuit by employees who claimed their personal information was leaked in the attack.