Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

04:20 PM
Connect Directly

North Korea's Lazarus Group Expands to Stealing Defense Secrets

Several gigabytes of sensitive data stolen from one restricted network, with organizations in more than 12 countries impacted, Kaspersky says.

The Lazarus Group, North Korea's advanced persistent threat (APT) actor, appears to have broadened its primary mission of stealing money for the cash-starved regime via cyberattacks to stealing defense secrets.

Researchers at Kaspersky say last year the group was able to successfully transfer several gigabytes worth of sensitive information from a restricted network belonging to an organization in the defense sector. Kaspersky discovered the breach when it was called in to assist with incident response following a security incident at the organization.

One especially troubling aspect of the attack was the manner in which Lazarus operators overcame network segmentation at the organization to access a completely isolated segment of its network and exfiltrate data.

Related Content:

US Unseals Indictments Against North Korean Cyberattackers for Thefts Totaling $1.3B

Special Report: 2020 State of Cybersecurity Operations and Incident Response

New From The Edge: Security + Fraud Protection: Your One-Two Punch Against Cyberattacks

"We do not know what specific information was stolen since the evidence related to this was not transferred to us," says Vyacheslav Kopeytsev, senior security researcher at Kaspersky. "Based on the profile of the organization, it can be assumed that the attackers were interested in data on the production of weapons or military equipment."

The Lazarus Group is arguably one of the most active — and notorious — APT groups in operation. Researchers have tied the group to numerous high-profile and highly destructive attacks, including the one on Sony in 2014, the WannaCry ransomware outbreak in 2017, the theft of over $80 million from Bangladesh Bank in 2017, and attacks on several cryptocurrency operations. Though the group has been associated with several cyber espionage and hacktivist campaigns, security researchers believe one of its main missions is to use cyberattacks to steal money for North Korea's nuclear and ballistic missile programs.

According to Kaspersky, starting sometime in early 2020, the group appears to have expanded its mission to gathering defense secrets. It's primary weapon in the campaign is a backdoor called "ThreatNeedle," which the group uses to move laterally on compromised networks. So far, defense-sector organizations in more than one dozen countries have been impacted.

Kopeytsev says Kaspersky can't say for sure whether US organizations have been caught up in the campaign. Kaspersky's analysis of connections to a malware command-and-control server used in the operation shows connections from the United States. While those connections could be from victim organizations, they could as equally be from other security researchers who are investigating the same campaign, he says.

Like most modern threat campaigns, the Lazarus Group's attacks on the defense sector have involved the use of well-themed and well-scripted spear-phishing emails. In the attack that Kaspersky investigated, the emails were sent to individuals at various departments within the organization. The very realistic-looking emails purported to contain COVID-19 updates from the deputy head doctor of a medical center that is part of the organization. The emails contained a Word document with a macro that, when enabled, downloaded and executed other malware leading to the installation of ThreatNeedle, Kaspersky says.

COVID-19 was only one of several phishing lures that the group used in its bid to gain an initial foothold on the target network. Other lures including documents appearing to be from major defense contractors.

In early June 2020, an employee at the targeted organization opened one of the malicious attachments, allowing Lazarus Group members to gain remote control of the infected host and install ThreatNeedle on it. Kaspersky described the backdoor as part of a broader malware family called Manuscrypt that the Lazarus Group has used in numerous attacks on cryptocurrency operators and against a mobile game provider. The group uses the malware to conduct initial reconnaissance on an infected network and to collect credentials and move laterally by installing additional malware on it.

Bridging the Air Gap
Kaspersky's investigation shows that attackers used their access on the corporate network to gain access to a completely restricted segment that had no direct Internet access. To do that, the adversary used stolen credentials to get into administrator workstations with access to both environments. They also obtained credentials to a virtual router that admins used to connect to systems in both environments. The attackers configured the router to host and deploy additional malware on the OT network and abused a web interface on it to exfiltrate data from the restricted network.

Kopeytsev says the campaign poses a threat to organizations in the US defense sector.

"In my opinion, the risk is high. Attacks are carefully prepared and aimed at stealing confidential data from defense contractors," he says. "In the case of a successful attack, this may have big consequences."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version You can get the update to regularly via the Auto-U...
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibilit...
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 are vulnerable to system information leakage in error handling. Users are recommend to update to version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 suffer from an authenticated stored XSS in administration vulnerability. Users are recommend to update to the version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below We recommend to update to the current version You can get the update to regularly via the Auto-Updater or directly via the download overview. For older versions o...