Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

04:20 PM
Connect Directly

North Korea's Lazarus Group Expands to Stealing Defense Secrets

Several gigabytes of sensitive data stolen from one restricted network, with organizations in more than 12 countries impacted, Kaspersky says.

The Lazarus Group, North Korea's advanced persistent threat (APT) actor, appears to have broadened its primary mission of stealing money for the cash-starved regime via cyberattacks to stealing defense secrets.

Researchers at Kaspersky say last year the group was able to successfully transfer several gigabytes worth of sensitive information from a restricted network belonging to an organization in the defense sector. Kaspersky discovered the breach when it was called in to assist with incident response following a security incident at the organization.

One especially troubling aspect of the attack was the manner in which Lazarus operators overcame network segmentation at the organization to access a completely isolated segment of its network and exfiltrate data.

Related Content:

US Unseals Indictments Against North Korean Cyberattackers for Thefts Totaling $1.3B

Special Report: 2020 State of Cybersecurity Operations and Incident Response

New From The Edge: Security + Fraud Protection: Your One-Two Punch Against Cyberattacks

"We do not know what specific information was stolen since the evidence related to this was not transferred to us," says Vyacheslav Kopeytsev, senior security researcher at Kaspersky. "Based on the profile of the organization, it can be assumed that the attackers were interested in data on the production of weapons or military equipment."

The Lazarus Group is arguably one of the most active — and notorious — APT groups in operation. Researchers have tied the group to numerous high-profile and highly destructive attacks, including the one on Sony in 2014, the WannaCry ransomware outbreak in 2017, the theft of over $80 million from Bangladesh Bank in 2017, and attacks on several cryptocurrency operations. Though the group has been associated with several cyber espionage and hacktivist campaigns, security researchers believe one of its main missions is to use cyberattacks to steal money for North Korea's nuclear and ballistic missile programs.

According to Kaspersky, starting sometime in early 2020, the group appears to have expanded its mission to gathering defense secrets. It's primary weapon in the campaign is a backdoor called "ThreatNeedle," which the group uses to move laterally on compromised networks. So far, defense-sector organizations in more than one dozen countries have been impacted.

Kopeytsev says Kaspersky can't say for sure whether US organizations have been caught up in the campaign. Kaspersky's analysis of connections to a malware command-and-control server used in the operation shows connections from the United States. While those connections could be from victim organizations, they could as equally be from other security researchers who are investigating the same campaign, he says.

Like most modern threat campaigns, the Lazarus Group's attacks on the defense sector have involved the use of well-themed and well-scripted spear-phishing emails. In the attack that Kaspersky investigated, the emails were sent to individuals at various departments within the organization. The very realistic-looking emails purported to contain COVID-19 updates from the deputy head doctor of a medical center that is part of the organization. The emails contained a Word document with a macro that, when enabled, downloaded and executed other malware leading to the installation of ThreatNeedle, Kaspersky says.

COVID-19 was only one of several phishing lures that the group used in its bid to gain an initial foothold on the target network. Other lures including documents appearing to be from major defense contractors.

In early June 2020, an employee at the targeted organization opened one of the malicious attachments, allowing Lazarus Group members to gain remote control of the infected host and install ThreatNeedle on it. Kaspersky described the backdoor as part of a broader malware family called Manuscrypt that the Lazarus Group has used in numerous attacks on cryptocurrency operators and against a mobile game provider. The group uses the malware to conduct initial reconnaissance on an infected network and to collect credentials and move laterally by installing additional malware on it.

Bridging the Air Gap
Kaspersky's investigation shows that attackers used their access on the corporate network to gain access to a completely restricted segment that had no direct Internet access. To do that, the adversary used stolen credentials to get into administrator workstations with access to both environments. They also obtained credentials to a virtual router that admins used to connect to systems in both environments. The attackers configured the router to host and deploy additional malware on the OT network and abused a web interface on it to exfiltrate data from the restricted network.

Kopeytsev says the campaign poses a threat to organizations in the US defense sector.

"In my opinion, the risk is high. Attacks are carefully prepared and aimed at stealing confidential data from defense contractors," he says. "In the case of a successful attack, this may have big consequences."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-19
VMware NSX-T contains a privilege escalation vulnerability due to an issue with RBAC (Role based access control) role assignment. Successful exploitation of this issue may allow attackers with local guest user account to assign privileges higher than their own permission level.
PUBLISHED: 2021-04-19
Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older initiate SSH connections to the Fibaro cloud to provide remote access and remote support capabilities. This connection can be intercepted using DNS spoofing attack and a device initiated remote port-forward channel can be us...
PUBLISHED: 2021-04-19
In Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older an internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication to trigger a shutdown, a reboot or a reboot into recovery mode.
PUBLISHED: 2021-04-19
In Fibaro Home Center 2 and Lite devices with firmware version 4.540 and older an authenticated user can run commands as root user using a command injection vulnerability.
PUBLISHED: 2021-04-19
In Fibaro Home Center 2 and Lite devices in all versions provide a web based management interface over unencrypted HTTP protocol. Communication between the user and the device can be eavesdropped to hijack sessions, tokens and passwords.