The Lazarus Group, North Korea's advanced persistent threat (APT) actor, appears to have broadened its primary mission of stealing money for the cash-starved regime via cyberattacks to stealing defense secrets.
Researchers at Kaspersky say last year the group was able to successfully transfer several gigabytes worth of sensitive information from a restricted network belonging to an organization in the defense sector. Kaspersky discovered the breach when it was called in to assist with incident response following a security incident at the organization.
One especially troubling aspect of the attack was the manner in which Lazarus operators overcame network segmentation at the organization to access a completely isolated segment of its network and exfiltrate data.
"We do not know what specific information was stolen since the evidence related to this was not transferred to us," says Vyacheslav Kopeytsev, senior security researcher at Kaspersky. "Based on the profile of the organization, it can be assumed that the attackers were interested in data on the production of weapons or military equipment."
The Lazarus Group is arguably one of the most active — and notorious — APT groups in operation. Researchers have tied the group to numerous high-profile and highly destructive attacks, including the one on Sony in 2014, the WannaCry ransomware outbreak in 2017, the theft of over $80 million from Bangladesh Bank in 2017, and attacks on several cryptocurrency operations. Though the group has been associated with several cyber espionage and hacktivist campaigns, security researchers believe one of its main missions is to use cyberattacks to steal money for North Korea's nuclear and ballistic missile programs.
According to Kaspersky, starting sometime in early 2020, the group appears to have expanded its mission to gathering defense secrets. It's primary weapon in the campaign is a backdoor called "ThreatNeedle," which the group uses to move laterally on compromised networks. So far, defense-sector organizations in more than one dozen countries have been impacted.
Kopeytsev says Kaspersky can't say for sure whether US organizations have been caught up in the campaign. Kaspersky's analysis of connections to a malware command-and-control server used in the operation shows connections from the United States. While those connections could be from victim organizations, they could as equally be from other security researchers who are investigating the same campaign, he says.
Like most modern threat campaigns, the Lazarus Group's attacks on the defense sector have involved the use of well-themed and well-scripted spear-phishing emails. In the attack that Kaspersky investigated, the emails were sent to individuals at various departments within the organization. The very realistic-looking emails purported to contain COVID-19 updates from the deputy head doctor of a medical center that is part of the organization. The emails contained a Word document with a macro that, when enabled, downloaded and executed other malware leading to the installation of ThreatNeedle, Kaspersky says.
COVID-19 was only one of several phishing lures that the group used in its bid to gain an initial foothold on the target network. Other lures including documents appearing to be from major defense contractors.
In early June 2020, an employee at the targeted organization opened one of the malicious attachments, allowing Lazarus Group members to gain remote control of the infected host and install ThreatNeedle on it. Kaspersky described the backdoor as part of a broader malware family called Manuscrypt that the Lazarus Group has used in numerous attacks on cryptocurrency operators and against a mobile game provider. The group uses the malware to conduct initial reconnaissance on an infected network and to collect credentials and move laterally by installing additional malware on it.
Bridging the Air Gap
Kaspersky's investigation shows that attackers used their access on the corporate network to gain access to a completely restricted segment that had no direct Internet access. To do that, the adversary used stolen credentials to get into administrator workstations with access to both environments. They also obtained credentials to a virtual router that admins used to connect to systems in both environments. The attackers configured the router to host and deploy additional malware on the OT network and abused a web interface on it to exfiltrate data from the restricted network.
Kopeytsev says the campaign poses a threat to organizations in the US defense sector.
"In my opinion, the risk is high. Attacks are carefully prepared and aimed at stealing confidential data from defense contractors," he says. "In the case of a successful attack, this may have big consequences."