Analysis published today examines reports from years of security incidents to pinpoint links between Lazarus Group, historically tied to North Korea, and Russian-speaking cybercriminals.
In a write-up of his findings, Mark Arena, CEO of security firm Intel 471, holds two generally accepted assumptions: that Lazarus Group is tied to North Korea, and that TrickBot, TA505, and Dridex are connected to Russian-speaking cybercriminals. To do the analysis, Arena explored public and open sources from security researchers who published information on threat activity.
The report concludes North Korean attackers are likely active in the cybercriminal underground and maintain relationships with high-level Russian-speaking cybercriminals, Arena reports. Further, malware believed to be used by, and likely written by, North Korean attackers was "very likely" distributed using network accesses held by Russian-speaking cybercriminals.
"[There's] the link between TrickBot and the operators behind Trickbot pretty clearly selling accesses to financial institutions to the North Koreans," says Arena. "And the fact that getting access to the TrickBot operators – figuring out who they are and who you contact for that – you have to be pretty vetted from a cybercriminal perspective."
TrickBot is a malware distribution framework not advertised on any open or invite-only criminal forum or marketplace, Arena says. It's is only accessible to top-tier criminals with a proven reputation gained through involvement with buying and selling products and services in the criminal underground. The ability of North Korean attackers to communicate with TrickBot's operators and customers would mean they're considered top-tier cybercriminals themselves.
Dr. Grey Rattray, partner and founder for Next Peak LLC, and former NSC director for cybersecurity at the White House, agrees. He calls Lazarus Group the "quintessential scary, emerging strategic actor." While who they are is a little indeterminate, "they are a group with real capability" and nation-state grade tools, which they'll use to achieve any number of goals.
"Any organized group uses the least necessary tools," says Rattray, who has previously run red team and offensive operations. Lazarus Group is capable of using the tools necessary to achieve any number of goals aligning with what the North Korean regime wants, he adds. TrickBot is one of them – SentinelOne researchers spotted Lazarus Group using TrickBot to deploy its own malware samples onto the network of a business targeted with the Anchor attack toolset.
Based on findings from SentinelOne and several other research teams, Intel 471 assesses a likely link between TrickBot operators and North Korean attackers. TrickBot seems to be a source of compromised accesses that North Korean actors can use, and the people controlling it seem well-versed in identifying compromised organizations for follow-up attack activity – whether that's through Anchor or other intrusion tools like Metasploit, Cobalt Strike, or Empire.
The TrickBot link was the strongest discovered between North Korean attackers and Russian-speaking cybercriminals, Arena states in a blog. He estimates this activity has been ongoing for over a year, though despite the length of time, it's unclear whether the Russian-speaking actors know they're selling to North Korean attackers, who he says are also speaking in Russian.
Intel 471 also explored potential connections between North Korean attackers and TA505, as well as links to Dridex. They concluded while TA505 may have historically worked with North Korean attackers on occasion, it doesn't seem to have happened recently. No link was found between North Korea and Dridex.
Lazarus Group and Russia: Targets and Motivations
How do North Korea and Russian-speaking attackers benefit from such a collaboration? Arena starts with Russia: "What they gain out of it is their access to a team or group of people [who] are specialized in hacking banks and stealing huge amounts of money," he explains.
If Russian-speaking attackers sell access to a financial institution, for example, there could be a monetary incentive if the intrusion is successful. The North Korean actors who steal the funds may give back a percentage if they're able to steal large sums of money, Arena notes.
For North Korea, the benefit is a source of access into financial institutions. While they likely have the capability to social engineer their way into a bank, the process is time-consuming.
"If they're able to leverage accesses in the underground from other criminals, that's just something they don't have to do themselves," Arena adds.
From a cybercrime perspective, Russia is "leaps and bounds" ahead of other regions, which makes it an appealing collaborator. While some Russian-speaking actors are motivated by espionage, the groups in this case are purely motivated by financial gain – a goal that aligns them with North Korean attackers.
Their primary focus is on organizations with lower levels of security – for example, Rattray points to the attack on the Bank of Bangladesh, conducted by APT 38, an attack group that emerged as its own entity from the Lazarus Group. The rise of APT 38 coincided with international economic sanctions against North Korea and resulting economic pressures.
This was one of a very large number of attacks against weak nodes in the payment system, he says. Attackers didn't get inside the SWIFT organization but inside the people who use SWIFT to transfer major sums.
"That's a transformational type of risk," he adds. "If we can't be confident that endpoints in the SWIFT system are not going to be corrupted and move tens, if not hundreds, of millions of dollars in fraudulent transactions, people start to get worried."
Getting inside the Bank of Bangladesh, and living in there long enough to figure out how to push a fraudulent payment, is something an intelligence agency might do, Rattray points out. While he doesn't track specific attack groups, he says collaboration with Russian-speaking actors would be a "logical evolution" for the group.
"Lazarus Group has and will continue to use the tools and techniques necessary for the mission," he says. "They operate like an intelligence service." The group has proved itself highly capable, and willing, to do the highest end of bad things, and their agility in doing so is an asset.