Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

06:00 PM
Connect Directly

Likely Links Emerge Between Lazarus Group and Russian-Speaking Cybercriminals

Researchers examine security incidents over the past several years that seemingly connect North Korea's Lazarus Group with Russian-speaking attackers.

Analysis published today examines reports from years of security incidents to pinpoint links between Lazarus Group, historically tied to North Korea, and Russian-speaking cybercriminals.

In a write-up of his findings, Mark Arena, CEO of security firm Intel 471, holds two generally accepted assumptions: that Lazarus Group is tied to North Korea, and that TrickBot, TA505, and Dridex are connected to Russian-speaking cybercriminals. To do the analysis, Arena explored public and open sources from security researchers who published information on threat activity.

Related Content:

6 Signs Your Supply Chain Risk Just Shot Up

The Threat from the Internet—and What Your Organization Can Do About It

New on The Edge: h2c Smuggling: A New 'Devastating' Kind of HTTP Request Smuggling

The report concludes North Korean attackers are likely active in the cybercriminal underground and maintain relationships with high-level Russian-speaking cybercriminals, Arena reports. Further, malware believed to be used by, and likely written by, North Korean attackers was "very likely" distributed using network accesses held by Russian-speaking cybercriminals.

"[There's] the link between TrickBot and the operators behind Trickbot pretty clearly selling accesses to financial institutions to the North Koreans," says Arena. "And the fact that getting access to the TrickBot operators – figuring out who they are and who you contact for that – you have to be pretty vetted from a cybercriminal perspective." 

TrickBot is a malware distribution framework not advertised on any open or invite-only criminal forum or marketplace, Arena says. It's is only accessible to top-tier criminals with a proven reputation gained through involvement with buying and selling products and services in the criminal underground. The ability of North Korean attackers to communicate with TrickBot's operators and customers would mean they're considered top-tier cybercriminals themselves.

Dr. Grey Rattray, partner and founder for Next Peak LLC, and former NSC director for cybersecurity at the White House, agrees. He calls Lazarus Group the "quintessential scary, emerging strategic actor." While who they are is a little indeterminate, "they are a group with real capability" and nation-state grade tools, which they'll use to achieve any number of goals. 

"Any organized group uses the least necessary tools," says Rattray, who has previously run red team and offensive operations. Lazarus Group is capable of using the tools necessary to achieve any number of goals aligning with what the North Korean regime wants, he adds. TrickBot is one of them – SentinelOne researchers spotted Lazarus Group using TrickBot to deploy its own malware samples onto the network of a business targeted with the Anchor attack toolset. 

Based on findings from SentinelOne and several other research teams, Intel 471 assesses a likely link between TrickBot operators and North Korean attackers. TrickBot seems to be a source of compromised accesses that North Korean actors can use, and the people controlling it seem well-versed in identifying compromised organizations for follow-up attack activity – whether that's through Anchor or other intrusion tools like Metasploit, Cobalt Strike, or Empire.

The TrickBot link was the strongest discovered between North Korean attackers and Russian-speaking cybercriminals, Arena states in a blog. He estimates this activity has been ongoing for over a year, though despite the length of time, it's unclear whether the Russian-speaking actors know they're selling to North Korean attackers, who he says are also speaking in Russian.

Intel 471 also explored potential connections between North Korean attackers and TA505, as well as links to Dridex. They concluded while TA505 may have historically worked with North Korean attackers on occasion, it doesn't seem to have happened recently. No link was found between North Korea and Dridex.

Lazarus Group and Russia: Targets and Motivations
How do North Korea and Russian-speaking attackers benefit from such a collaboration? Arena starts with Russia: "What they gain out of it is their access to a team or group of people [who] are specialized in hacking banks and stealing huge amounts of money," he explains.

If Russian-speaking attackers sell access to a financial institution, for example, there could be a monetary incentive if the intrusion is successful. The North Korean actors who steal the funds may give back a percentage if they're able to steal large sums of money, Arena notes.

For North Korea, the benefit is a source of access into financial institutions. While they likely have the capability to social engineer their way into a bank, the process is time-consuming.

"If they're able to leverage accesses in the underground from other criminals, that's just something they don't have to do themselves," Arena adds.

From a cybercrime perspective, Russia is "leaps and bounds" ahead of other regions, which makes it an appealing collaborator. While some Russian-speaking actors are motivated by espionage, the groups in this case are purely motivated by financial gain – a goal that aligns them with North Korean attackers. 

Their primary focus is on organizations with lower levels of security – for example, Rattray points to the attack on the Bank of Bangladesh, conducted by APT 38, an attack group that emerged as its own entity from the Lazarus Group. The rise of APT 38 coincided with international economic sanctions against North Korea and resulting economic pressures.

This was one of a very large number of attacks against weak nodes in the payment system, he says. Attackers didn't get inside the SWIFT organization but inside the people who use SWIFT to transfer major sums.

"That's a transformational type of risk," he adds. "If we can't be confident that endpoints in the SWIFT system are not going to be corrupted and move tens, if not hundreds, of millions of dollars in fraudulent transactions, people start to get worried." 

Getting inside the Bank of Bangladesh, and living in there long enough to figure out how to push a fraudulent payment, is something an intelligence agency might do, Rattray points out. While he doesn't track specific attack groups, he says collaboration with Russian-speaking actors would be a "logical evolution" for the group.

"Lazarus Group has and will continue to use the tools and techniques necessary for the mission," he says. "They operate like an intelligence service." The group has proved itself highly capable, and willing, to do the highest end of bad things, and their agility in doing so is an asset.


Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...