Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

2/25/2021
04:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

North Korea's Lazarus Group Expands to Stealing Defense Secrets

Several gigabytes of sensitive data stolen from one restricted network, with organizations in more than 12 countries impacted, Kaspersky says.

The Lazarus Group, North Korea's advanced persistent threat (APT) actor, appears to have broadened its primary mission of stealing money for the cash-starved regime via cyberattacks to stealing defense secrets.

Researchers at Kaspersky say last year the group was able to successfully transfer several gigabytes worth of sensitive information from a restricted network belonging to an organization in the defense sector. Kaspersky discovered the breach when it was called in to assist with incident response following a security incident at the organization.

One especially troubling aspect of the attack was the manner in which Lazarus operators overcame network segmentation at the organization to access a completely isolated segment of its network and exfiltrate data.

Related Content:

US Unseals Indictments Against North Korean Cyberattackers for Thefts Totaling $1.3B

Special Report: 2020 State of Cybersecurity Operations and Incident Response

New From The Edge: Security + Fraud Protection: Your One-Two Punch Against Cyberattacks

"We do not know what specific information was stolen since the evidence related to this was not transferred to us," says Vyacheslav Kopeytsev, senior security researcher at Kaspersky. "Based on the profile of the organization, it can be assumed that the attackers were interested in data on the production of weapons or military equipment."

The Lazarus Group is arguably one of the most active — and notorious — APT groups in operation. Researchers have tied the group to numerous high-profile and highly destructive attacks, including the one on Sony in 2014, the WannaCry ransomware outbreak in 2017, the theft of over $80 million from Bangladesh Bank in 2017, and attacks on several cryptocurrency operations. Though the group has been associated with several cyber espionage and hacktivist campaigns, security researchers believe one of its main missions is to use cyberattacks to steal money for North Korea's nuclear and ballistic missile programs.

According to Kaspersky, starting sometime in early 2020, the group appears to have expanded its mission to gathering defense secrets. It's primary weapon in the campaign is a backdoor called "ThreatNeedle," which the group uses to move laterally on compromised networks. So far, defense-sector organizations in more than one dozen countries have been impacted.

Kopeytsev says Kaspersky can't say for sure whether US organizations have been caught up in the campaign. Kaspersky's analysis of connections to a malware command-and-control server used in the operation shows connections from the United States. While those connections could be from victim organizations, they could as equally be from other security researchers who are investigating the same campaign, he says.

Like most modern threat campaigns, the Lazarus Group's attacks on the defense sector have involved the use of well-themed and well-scripted spear-phishing emails. In the attack that Kaspersky investigated, the emails were sent to individuals at various departments within the organization. The very realistic-looking emails purported to contain COVID-19 updates from the deputy head doctor of a medical center that is part of the organization. The emails contained a Word document with a macro that, when enabled, downloaded and executed other malware leading to the installation of ThreatNeedle, Kaspersky says.

COVID-19 was only one of several phishing lures that the group used in its bid to gain an initial foothold on the target network. Other lures including documents appearing to be from major defense contractors.

In early June 2020, an employee at the targeted organization opened one of the malicious attachments, allowing Lazarus Group members to gain remote control of the infected host and install ThreatNeedle on it. Kaspersky described the backdoor as part of a broader malware family called Manuscrypt that the Lazarus Group has used in numerous attacks on cryptocurrency operators and against a mobile game provider. The group uses the malware to conduct initial reconnaissance on an infected network and to collect credentials and move laterally by installing additional malware on it.

Bridging the Air Gap
Kaspersky's investigation shows that attackers used their access on the corporate network to gain access to a completely restricted segment that had no direct Internet access. To do that, the adversary used stolen credentials to get into administrator workstations with access to both environments. They also obtained credentials to a virtual router that admins used to connect to systems in both environments. The attackers configured the router to host and deploy additional malware on the OT network and abused a web interface on it to exfiltrate data from the restricted network.

Kopeytsev says the campaign poses a threat to organizations in the US defense sector.

"In my opinion, the risk is high. Attacks are carefully prepared and aimed at stealing confidential data from defense contractors," he says. "In the case of a successful attack, this may have big consequences."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32606
PUBLISHED: 2021-05-11
In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in net/can/isotp.c allows privilege escalation to root by leveraging a use-after-free. (This does not affect earlier versions that lack CAN ISOTP SF_BROADCAST support.)
CVE-2021-3504
PUBLISHED: 2021-05-11
A flaw was found in the hivex library in versions before 1.3.20. It is caused due to a lack of bounds check within the hivex_open function. An attacker could input a specially crafted Windows Registry (hive) file which would cause hivex to read memory beyond its normal bounds or cause the program to...
CVE-2021-20309
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11 and before 6.9.12, where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick. The highest threat from this vulnerability is to ...
CVE-2021-20310
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero ConvertXYZToJzazbz() of MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. The highest threat from this...
CVE-2021-20311
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero in sRGBTransformImage() in the MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker processed by an application using ImageMagick. The highest threat from t...