Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

06:00 PM
Connect Directly

Likely Links Emerge Between Lazarus Group and Russian-Speaking Cybercriminals

Researchers examine security incidents over the past several years that seemingly connect North Korea's Lazarus Group with Russian-speaking attackers.

Analysis published today examines reports from years of security incidents to pinpoint links between Lazarus Group, historically tied to North Korea, and Russian-speaking cybercriminals.

In a write-up of his findings, Mark Arena, CEO of security firm Intel 471, holds two generally accepted assumptions: that Lazarus Group is tied to North Korea, and that TrickBot, TA505, and Dridex are connected to Russian-speaking cybercriminals. To do the analysis, Arena explored public and open sources from security researchers who published information on threat activity.

Related Content:

6 Signs Your Supply Chain Risk Just Shot Up

The Threat from the Internet—and What Your Organization Can Do About It

New on The Edge: h2c Smuggling: A New 'Devastating' Kind of HTTP Request Smuggling

The report concludes North Korean attackers are likely active in the cybercriminal underground and maintain relationships with high-level Russian-speaking cybercriminals, Arena reports. Further, malware believed to be used by, and likely written by, North Korean attackers was "very likely" distributed using network accesses held by Russian-speaking cybercriminals.

"[There's] the link between TrickBot and the operators behind Trickbot pretty clearly selling accesses to financial institutions to the North Koreans," says Arena. "And the fact that getting access to the TrickBot operators – figuring out who they are and who you contact for that – you have to be pretty vetted from a cybercriminal perspective." 

TrickBot is a malware distribution framework not advertised on any open or invite-only criminal forum or marketplace, Arena says. It's is only accessible to top-tier criminals with a proven reputation gained through involvement with buying and selling products and services in the criminal underground. The ability of North Korean attackers to communicate with TrickBot's operators and customers would mean they're considered top-tier cybercriminals themselves.

Dr. Grey Rattray, partner and founder for Next Peak LLC, and former NSC director for cybersecurity at the White House, agrees. He calls Lazarus Group the "quintessential scary, emerging strategic actor." While who they are is a little indeterminate, "they are a group with real capability" and nation-state grade tools, which they'll use to achieve any number of goals. 

"Any organized group uses the least necessary tools," says Rattray, who has previously run red team and offensive operations. Lazarus Group is capable of using the tools necessary to achieve any number of goals aligning with what the North Korean regime wants, he adds. TrickBot is one of them – SentinelOne researchers spotted Lazarus Group using TrickBot to deploy its own malware samples onto the network of a business targeted with the Anchor attack toolset. 

Based on findings from SentinelOne and several other research teams, Intel 471 assesses a likely link between TrickBot operators and North Korean attackers. TrickBot seems to be a source of compromised accesses that North Korean actors can use, and the people controlling it seem well-versed in identifying compromised organizations for follow-up attack activity – whether that's through Anchor or other intrusion tools like Metasploit, Cobalt Strike, or Empire.

The TrickBot link was the strongest discovered between North Korean attackers and Russian-speaking cybercriminals, Arena states in a blog. He estimates this activity has been ongoing for over a year, though despite the length of time, it's unclear whether the Russian-speaking actors know they're selling to North Korean attackers, who he says are also speaking in Russian.

Intel 471 also explored potential connections between North Korean attackers and TA505, as well as links to Dridex. They concluded while TA505 may have historically worked with North Korean attackers on occasion, it doesn't seem to have happened recently. No link was found between North Korea and Dridex.

Lazarus Group and Russia: Targets and Motivations
How do North Korea and Russian-speaking attackers benefit from such a collaboration? Arena starts with Russia: "What they gain out of it is their access to a team or group of people [who] are specialized in hacking banks and stealing huge amounts of money," he explains.

If Russian-speaking attackers sell access to a financial institution, for example, there could be a monetary incentive if the intrusion is successful. The North Korean actors who steal the funds may give back a percentage if they're able to steal large sums of money, Arena notes.

For North Korea, the benefit is a source of access into financial institutions. While they likely have the capability to social engineer their way into a bank, the process is time-consuming.

"If they're able to leverage accesses in the underground from other criminals, that's just something they don't have to do themselves," Arena adds.

From a cybercrime perspective, Russia is "leaps and bounds" ahead of other regions, which makes it an appealing collaborator. While some Russian-speaking actors are motivated by espionage, the groups in this case are purely motivated by financial gain – a goal that aligns them with North Korean attackers. 

Their primary focus is on organizations with lower levels of security – for example, Rattray points to the attack on the Bank of Bangladesh, conducted by APT 38, an attack group that emerged as its own entity from the Lazarus Group. The rise of APT 38 coincided with international economic sanctions against North Korea and resulting economic pressures.

This was one of a very large number of attacks against weak nodes in the payment system, he says. Attackers didn't get inside the SWIFT organization but inside the people who use SWIFT to transfer major sums.

"That's a transformational type of risk," he adds. "If we can't be confident that endpoints in the SWIFT system are not going to be corrupted and move tens, if not hundreds, of millions of dollars in fraudulent transactions, people start to get worried." 

Getting inside the Bank of Bangladesh, and living in there long enough to figure out how to push a fraudulent payment, is something an intelligence agency might do, Rattray points out. While he doesn't track specific attack groups, he says collaboration with Russian-speaking actors would be a "logical evolution" for the group.

"Lazarus Group has and will continue to use the tools and techniques necessary for the mission," he says. "They operate like an intelligence service." The group has proved itself highly capable, and willing, to do the highest end of bad things, and their agility in doing so is an asset.


Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-16
The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused att...
PUBLISHED: 2021-05-16
Denial-of-service (DoS) vulnerability in the Multi-Factor Authentication module in Liferay DXP 7.3 before fix pack 1 allows remote authenticated attackers to prevent any user from authenticating by (1) enabling Time-based One-time password (TOTP) on behalf of the other user or (2) modifying the othe...
PUBLISHED: 2021-05-16
The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer.
PUBLISHED: 2021-05-16
Delta Industrial Automation CNCSoft ScreenEditor Versions 1.01.28 (with ScreenEditor Version 1.01.2) and prior are vulnerable to an out-of-bounds read while processing project files, which may allow an attacker to execute arbitrary code.
PUBLISHED: 2021-05-16
Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name.