Lazarus Group

Last updated
Lazarus Group
라자루스 조직
Formationc. 2009
Type Advanced persistent threat
Purpose Cyberespionage, cyberwarfare
Region
Potonggang District, Pyongyang, North Korea
Methods Zero-days, spearphishing, malware, disinformation, backdoors, droppers
Official language
Korean
Parent organization
 Reconnaissance General Bureau
Korea Computer Center
Nonserviam Cyber Warfare Command
Affiliations Bureau 121, Unit 180, AndAriel
Formerly called
APT38
Gods Apostles
Gods Disciples
Guardians of Peace
ZINC
Whois Team
Hidden Cobra

The Lazarus Group (also known as Guardians of Peace or Whois Team [1] [2] [3] ) is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the group, researchers have attributed many cyberattacks to them since 2010.

Contents

Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra (used by the United States Department of Homeland Security to refer to malicious cyber activity by the North Korean government in general) [4] [5] and ZINC or Diamond Sleet [6] (by Microsoft). [7] [8] [9] According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office. [10]

The Lazarus Group has strong links to North Korea. [11] [12] The United States Department of Justice has claimed the group is part of the North Korean government's strategy to "undermine global cybersecurity ... and generate illicit revenue in violation of ... sanctions". [13] North Korea benefits from conducting cyber operations because it can present an asymmetric threat with a small group of operators, especially to South Korea. [14]

History

The earliest known attack that the group is responsible for is known as "Operation Troy", which took place from 2009 to 2012. This was a cyber-espionage campaign that utilized unsophisticated distributed denial-of-service attack (DDoS) techniques to target the South Korean government in Seoul. They were also responsible for attacks in 2011 and 2013. Though uncertain, it is possible that they were also behind a 2007 attack targeting South Korea. [15] A notable attack that the group is known for is the 2014 attack on Sony Pictures. The Sony attack used more sophisticated techniques and highlighted how advanced the group has become over time.

FBI wanted notice for one of the hackers of the Lazarus Group, Park Jin Hyok Cartel de la orden de captura de Park Jin Hyok.png
FBI wanted notice for one of the hackers of the Lazarus Group, Park Jin Hyok

The Lazarus Group were reported to have stolen US$12 million from the Banco del Austro in Ecuador and US$1 million from Vietnam's Tien Phong Bank in 2015. [16] They have also targeted banks in Poland and Mexico. [17] The 2016 bank heist [18] included an attack on the Bangladesh Bank, successfully stealing US$81 million and was attributed to the group. In 2017, the Lazarus group was reported to have stolen US$60 million from the Far Eastern International Bank of Taiwan although the actual amount stolen was unclear, and most of the funds were recovered. [17]

It is not clear who is really behind the group, but media reports have suggested the group has links to North Korea. [19] [20] [17] Kaspersky Lab reported in 2017 that Lazarus tended to concentrate on spying and infiltration cyberattacks whereas a sub-group within their organisation, which Kaspersky called Bluenoroff, specialised in financial cyberattacks. Kaspersky found multiple attacks worldwide and a direct link (IP address) between Bluenoroff and North Korea. [21]

However, Kaspersky also acknowledged that the repetition of the code could be a “false flag” meant to mislead investigators and pin the attack on North Korea, given that the worldwide WannaCry worm cyber attack copied techniques from the NSA as well. This ransomware leverages an NSA exploit known as EternalBlue that a hacker group known as Shadow Brokers made public in April 2017. [22] Symantec reported in 2017 that it was "highly likely" that Lazarus was behind the WannaCry attack. [23]

2009 Operation Troy

The Lazarus Group's first major hacking incident took place on July 4, 2009, and sparked the beginning of "Operation Troy". This attack utilized the Mydoom and Dozer malware to launch a large-scale, but quite unsophisticated, DDoS attack against US and South Korean websites. The volley of attacks struck about three dozen websites and placed the text "Memory of Independence Day" in the master boot record (MBR).

2013 South Korea Cyberattack (Operation 1Mission/ DarkSeoul)

Over time, attacks from this group have grown more sophisticated; their techniques and tools have become better developed and more effective. The March 2011 attack known as "Ten Days of Rain" targeted South Korean media, financial, and critical infrastructure, and consisted of more sophisticated DDoS attacks that originated from compromised computers within South Korea. The attacks continued on March 20, 2013, with DarkSeoul, a wiper attack that targeted three South Korean broadcast companies, financial institutes, and an ISP. At the time, two other groups going by the personas ″NewRomanic Cyber Army Team and WhoIs Team″, took credit for that attack but researchers did not know the Lazarus Group was behind it at the time. Researchers today know the Lazarus Group as a supergroup behind the disruptive attacks. [24]

Late 2014: Sony breach

The Lazarus Group attacks culminated on November 24, 2014. On that day, a Reddit post appeared stating that Sony Pictures had been hacked via unknown means; the perpetrators identified themselves as the "Guardians of Peace". Large amounts of data were stolen and slowly leaked in the days following the attack. An interview with someone claiming to be part of the group stated that they had been siphoning Sony's data for over a year. [25]

The hackers were able to access previously unreleased films, scripts for certain films, plans for future films, information about executive salaries at the company, emails, and the personal information of around 4,000 employees. [26]

Early 2016 Investigation: Operation Blockbuster

Under the name ″Operation Blockbuster″, a coalition of security companies, led by Novetta, [27] [28] was able to analyse malware samples found in different cyber-security incidents. Using that data, the team was able to analyse the methods used by the hackers. They linked the Lazarus Group to a number of attacks through a pattern of code re-usage. [29] For example, they used a little-known encryption algorithm available on the internet, the Caracachs cipher algorithm. [30]

2016 Bangladesh Bank cyber heist

Bangladesh Bank cyber heist, was a theft that took place in February 2016. Thirty-five fraudulent instructions were issued by security hackers via the SWIFT network to illegally transfer close to US$1 billion from the Federal Reserve Bank of New York account belonging to Bangladesh Bank, the central bank of Bangladesh. Five of the thirty-five fraudulent instructions were successful in transferring US$101 million, with US$20 million traced to Sri Lanka and US$81 million to the Philippines. The Federal Reserve Bank of New York blocked the remaining thirty transactions, amounting to US$850 million, due to suspicions raised by a misspelled instruction. [31] [32] Cybersecurity experts claimed that the North Korea–based Lazarus Group was behind the attack. [33] [34]

May 2017 WannaCry ransomware attack

The WannaCry attack was a massive ransomware cyberattack that hit institutions across the globe ranging all the way from the NHS in Britain, to Boeing, and even to Universities in China on the 12th of May, 2017. The attack lasted 7 hours and 19 minutes. Europol estimates it affected nearly 200,000 computers in 150 countries, primarily affecting Russia, India, Ukraine, and Taiwan. This was one of the first attacks of a cryptoworm. Cryptoworms are a class of malware that travels between computers using networks, without requiring direct user action for infection — in this case, exploiting TCP port 445. [35] To be infected, there is no need to click on a bad link - the malware can spread autonomously, from a computer to a connected printer, and then beyond to adjacent computers, perhaps connected to the wifi, etc. The port 445 vulnerability allowed the malware to move freely across intranets, and infect thousands of computers rapidly. The Wannacry attack was one of the first large scale uses of a cryptoworm. [36] [37]

Attack

The virus exploited a vulnerability in the Windows operating system, then encrypted the computer's data in return for a sum of Bitcoin worth roughly $300 to get the key. In order to encourage payment, the ransom demand doubled after three days, and if not paid in a week, the malware deletes the encrypted data files. The malware used a legitimate piece of software called Windows Crypto, made by Microsoft to scramble the files. Once the encryption is completed, the filename has "Wincry" appended, which is the root of the Wannacry name. Wincry was the base of the encryption, but two additional exploits, EternalBlue and DoublePulsar, were used by the malware to make it a cryptoworm. EternalBlue automatically spreads the virus through networks, while DoublePulsar triggered it to activate on a victim's computer. In other words, EternalBlue got the infected link to your computer, and DoublePulsar clicked it for you. [37]

Security researcher Marcus Hutchins brought the attack to an end when he received a copy of the virus from a friend at a security research company and discovered a kill switch hardcoded into the virus. The malware included a periodic check to see if a specific domain name was registered, and would only proceed with encryption if that domain name did not exist. Hutchins identified this check, then promptly registered the relevant domain at 3:03 pm UTC. The malware immediately stopped propagating itself and infecting new machines. This was very interesting, and is a clue as to who created the virus. Usually stopping malware takes months of back and forth fighting between the hackers and security experts, so this easy win was unexpected. Another very interesting and unusual aspect of the attack was that the files were not recoverable after paying the ransom: only $160,000 was collected, leading many to believe that the hackers weren't after the money. [37]

The easy kill switch and lack of revenue led many to believe that the attack was state-sponsored; the motive was not financial compensation, but just to cause chaos. After the attack security experts traced the DoublePulsar exploit back to the United States NSA where the exploit had been developed as a cyberweapon. The exploit was then stolen by the Shadow Brokers hacker group, who first tried to auction it off, but after failing to do that simply gave it away for free. [37] The NSA subsequently revealed the vulnerability to Microsoft who issued an update on March 14, 2017, a little under a month before the attack occurred. It wasn't enough. The update wasn't mandatory and the majority of computers with the vulnerability had not resolved the issue by the time May 12 rolled around, leading to the astonishing effectiveness of the attack.

Aftermath

The US Department of Justice and British authorities later attributed the WannaCry attack on the North Korean hacking gang, the Lazarus group. [13]

2017 cryptocurrency attacks

In 2018, Recorded Future issued a report linking the Lazarus Group to attacks on cryptocurrency Bitcoin and Monero users mostly in South Korea. [38] These attacks were reported to be technically similar to previous attacks using the WannaCry ransomware and the attacks on Sony Pictures. [39] One of the tactics used by Lazarus hackers was to exploit vulnerabilities in Hancom's Hangul, a South Korean word processing software. [39] Another tactic was to use spear-phishing lures containing malware and which were sent to South Korean students and users of cryptocurrency exchanges like Coinlink. If the user opened the malware it stole email addresses and passwords. [40] Coinlink denied their site or users emails and passwords had been hacked. [40] The report concluded that “This late-2017 campaign is a continuation of North Korea’s interest in cryptocurrency, which we now know encompasses a broad range of activities including mining, ransomware, and outright theft...” [38] The report also said that North Korea was using these cryptocurrency attacks to avoid international financial sanctions. [41]

North Korean hackers stole US$7 million from Bithumb, a South Korean exchange in February 2017. [42] Youbit, another South Korean Bitcoin exchange company, filed for bankruptcy in December 2017 after 17% of its assets were stolen by cyberattacks following an earlier attack in April 2017. [43] Lazarus and North Korean hackers were blamed for the attacks. [44] [38] Nicehash, a cryptocurrency cloud mining marketplace lost over 4,500 Bitcoin in December 2017. An update about the investigations claimed that the attack is linked to the Lazarus Group. [45]

September 2019 attacks

In mid-September 2019, the USA issued a public alert about a new version of malware dubbed ElectricFish. [46] Since the beginning of 2019, North Korean agents have attempted five major cyber-thefts world-wide, including a successful $49 million theft from an institution in Kuwait. [46]

Late 2020 pharmaceutical company attacks

Due to the ongoing COVID-19 pandemic, pharmaceutical companies became major targets for the Lazarus Group. Using spear-phishing techniques, Lazarus Group members posed as health officials and contacted pharmaceutical company employees with malicious links. It is thought that multiple major pharma organizations were targeted, but the only one that has been confirmed was the Anglo-Swedish-owned AstraZeneca. According to a report by Reuters, [47] a wide range of employees were targeted, including many involved in COVID-19 vaccine research. It is unknown what the Lazarus Group's goal was in these attacks, but the likely possibilities include:

AstraZeneca has not commented on the incident and experts do not believe any sensitive data has been compromised as of yet.[ as of? ]

January 2021 attacks targeting cybersecurity researchers

In January 2021, Google and Microsoft both publicly reported on a group of North Korean hackers targeting cybersecurity researchers via a social engineering campaign, with Microsoft specifically attributing the campaign to the Lazarus Group. [48] [49] [50]

The hackers created multiple user profiles on Twitter, GitHub, and LinkedIn posing as legitimate software vulnerability researchers, and used those profiles to interact with posts and content made by others in the security research community. The hackers would then target specific security researchers by contacting them directly with an offer to collaborate on research, with the goal of getting the victim to download a file containing malware, or to visit a blog post on a website controlled by the hackers. [50]

Some victims who visited the blog post reported that their computers were compromised despite using fully patched versions of the Google Chrome browser, suggesting that the hackers may have used a previously unknown zero-day vulnerability affecting Chrome for the attack; [48] however, Google stated that they were unable to confirm the exact method of compromise at the time of the report. [49]

March 2022 online game Axie Infinity attack

In March 2022, the Lazarus Group was found responsible for stealing $620 million worth of cryptocurrencies from the Ronin Network, a bridge used by the Axie Infinity game. [51] The FBI said "Through our investigations we were able to confirm the Lazarus Group and APT38, cyber actors associated with [North Korea], are responsible for the theft". [52]

June 2022 Horizon Bridge attack

The FBI confirmed that the North Korean malicious cyber actor group Lazarus (also known as APT38) was responsible for the theft of $100 million of virtual currency from Harmony's Horizon bridge reported on June 24, 2022. [53]

2023 cryptocurrency attacks

A report published by blockchain security platform Immunefi, alleged that Lazarus was responsible for over $300 million in losses across crypto hacking incidents in 2023. The amount represents 17.6% of the year's total losses. [51]

June 2023 Atomic Wallet attack

In June 2023 over $100 million in cryptocurrency was stolen from users of the Atomic Wallet service, [54] and this was later confirmed by the FBI. [55]

September 2023 Stake.com hack

In September 2023 the FBI confirmed that a $41 million theft of cryptocurrency from Stake.com, an online casino and betting platform, was perpetrated by the Lazarus Group. [56]

U.S. sanctions

On 14 April 2022, the US Treasury's OFAC placed Lazarus on the SDN List under North Korea Sanctions Regulations section 510.214. [57]

2024 cryptocurrency attack

According to Indian media reports, a local cryptocurrency exchange named WazirX was hacked by the group and $234.9 million worth of crypto assets have been stolen. [58]

Education

North Korean hackers are sent vocationally to Shenyang, China for special training. They are trained to deploy malware of all types onto computers, computer networks, and servers. Education domestically includes the Kim Chaek University of Technology, Kim Il Sung University and Moranbong University, which picks the brightest students from across the country and puts them through six years of special education. [10] [59] Beyond the university level, "some of the brightest programmers . . . are sent to Moranbong University or Mirim College." [60] [61]

Units

Lazarus is believed to have two units. [62] [63]

BlueNorOff

BlueNorOff (also known as: APT38, Stardust Chollima, BeagleBoyz, NICKEL GLADSTONE [64] ) is a financially motivated group that is responsible for the illegal transfers of money via forging orders from SWIFT. BlueNorOff is also called APT38 (by Mandiant) and Stardust Chollima (by Crowdstrike). [65] [66]

According to a 2020 report by the U.S. Army, Bluenoroff has about 1,700 members carrying out financial cybercrime by concentrating on long-term assessment and exploiting enemy network vulnerabilities and systems for financial gain for the regime or to take control of the system. [67] They target financial institutions and cryptocurrency exchanges, including over 16 organizations in at least 13 countries [a] between 2014 and 2021: Bangladesh, Chile, India, Mexico, Pakistan, the Philippines, South Korea, Taiwan, Turkey, and Vietnam. The revenue is believed to go towards the development of missile and nuclear technology. [64] [63]

BlueNorOff's most infamous attack was the 2016 Bangladesh Bank robbery in which they tried to use the SWIFT network to illegally transfer close to US$1 billion from the Federal Reserve Bank of New York account belonging to Bangladesh Bank, the central bank of Bangladesh. After several of the transactions went through (US$20 million traced to Sri Lanka and US$81 million to the Philippines), the Federal Reserve Bank of New York blocked the remaining transactions, due to suspicions raised by a misspelling. [63]

Malware associated with BlueNorOff include: "DarkComet, Mimikatz, Nestegg, Macktruck, WannaCry, Whiteout, Quickcafe, Rawhide, Smoothride, TightVNC, Sorrybrute, Keylime, Snapshot, Mapmaker, net.exe, sysmon, Bootwreck, Cleantoad, Closeshave, Dyepack, Hermes, Twopence, Electricfish, Powerratankba, and Powerspritz" [64]

Tactics commonly used by BlueNorOff include: phishing, backdoors, [63] Drive-by compromise, Watering hole attack, exploitation of insecure out-of-date versions of Apache Struts 2 to execute code on a system, strategic web compromise, and accessing Linux servers. [64] It's reported that they sometimes work together with criminal hackers. [68]

AndAriel

AndAriel (also spelled Andarial, [67] and also known as: Silent Chollima, Dark Seoul, Rifle, and Wassonite [64] ) is logistically characterized by its targeting of South Korea. AndAriel's alternative name is called Silent Chollima due to the stealthy nature of the subgroup. [69] Any organization in South Korea is vulnerable to AndAriel. Targets include government, defense, and any economic symbol. [70] [71]

According to a 2020 report by the U.S. Army, Andarial has about 1,600 members whose mission is reconnaissance, assessment of the network vulnerabilities, and mapping the enemy network for potential attack. [67] In addition to South Korea, they also target other governments, infrastructure, and businesses. Attack vectors include: ActiveX, vulnerabilities in South Korean software, watering hole attacks, spear phishing (macro), IT management products (antivirus, PMS), and supply chain (installers and updaters). Malware used include: Aryan, Gh0st RAT, Rifdoor, Phandoor, and Andarat. [64]

Indictments

In February 2021, the US Department of Justice indicted three members of the Reconnaissance General Bureau, a North Korean military intelligence agency, for having participated in several Lazarus hacking campaigns: Park Jin Hyok, Jon Chang Hyok and Kim Il Park. Jin Hyok had already been indicted earlier in September 2018. The individuals are not in U.S. custody. A Canadian and two Chinese individuals have also been charged with having acted as money mules and money launderers for the Lazarus group. [72] [73]

See also

Notes

  1. "according to press reports, had successfully carried out such operations against banks in Bangladesh, India, Mexico, Pakistan, Philippines, South Korea, Taiwan, Turkey, Chile, and Vietnam" [63]

Related Research Articles

Ransomware is a type of malware that encrypts the victim's personal data until a ransom is paid. They commonly use difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult. Sometimes the original files can be retrieved without paying the ransom due to implementation mistakes, leaked cryptographic keys or a complete lack of encryption in the ransomware.

Watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some member of the targeted group will become infected. Hacks looking for specific information may only attack users coming from a specific IP address. This also makes the hacks harder to detect and research. The name is derived from predators in the natural world, who wait for an opportunity to attack their prey near watering holes.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

<span class="mw-page-title-main">Kaspersky Lab</span> Russian multinational cybersecurity and anti-virus provider

Kaspersky Lab is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky and Alexey De-Monderik. Kaspersky Lab develops and sells antivirus, internet security, password management, endpoint security, and other cybersecurity products and services.

An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

In computer security, a wiper is a class of malware intended to erase the hard drive or other static memory of the computer it infects, maliciously deleting data and programs.

Cyberweapons are commonly defined as malware agents employed for military, paramilitary, or intelligence objectives as part of a cyberattack. This includes computer viruses, trojans, spyware, and worms that can introduce malicious code into existing software, causing a computer to perform actions or processes unintended by its operator.

<span class="mw-page-title-main">2014 Sony Pictures hack</span> 2014 release of hacked data from Sony Pictures

On November 24, 2014, the hacker group "Guardians of Peace" leaked confidential data from the film studio Sony Pictures Entertainment (SPE). The data included employee emails, personal and family information, executive salaries, copies of then-unreleased films, future film plans, screenplays, and other information. The perpetrators then employed a variant of the Shamoon wiper malware to erase Sony's computer infrastructure.

Carbanak is an APT-style campaign targeting financial institutions, that was discovered in 2014 by the Russian cyber security company Kaspersky Lab. It utilizes malware that is introduced into systems running Microsoft Windows using phishing emails, which is then used to steal money from banks via macros in documents. The hacker group is said to have stolen over 900 million dollars from the banks as well as money from over a thousand private customers.

Cyberwarfare is a part of the Iranian government's "soft war" military strategy. Being both a victim and wager of cyberwarfare, Iran is considered an emerging military power in the field. Since November 2010, an organization called "The Cyber Defense Command" has been operating in Iran under the supervision of the country's "Passive Civil Defense Organization" which is itself a subdivision of the Joint Staff of Iranian Armed Forces.

Cozy Bear is a Russian advanced persistent threat hacker group believed to be associated with Russian foreign intelligence by United States intelligence agencies and those of allied countries. Dutch signals intelligence (AIVD) and American intelligence had been monitoring the group since 2014 and was able to link the hacker group to the Russian foreign intelligence agency (SVR) after compromising security cameras in their office. CrowdStrike and Estonian intelligence reported a tentative link to the Russian domestic/foreign intelligence agency (FSB). Various groups designate it CozyCar, CozyDuke, Dark Halo, The Dukes, Midnight Blizzard, NOBELIUM, Office Monkeys, StellarParticle, UNC2452 with a tentative connection to Russian hacker group YTTRIUM. Symantec reported that Cozy Bear had been compromising diplomatic organizations and national governments since at least 2010. Der Spiegel published documents in 2023 purporting to link Russian IT firm NTC Vulkan to Cozy Bear operations.

<span class="mw-page-title-main">Bangladesh Bank robbery</span> 2016 bank cyber heist

The Bangladesh Bank robbery, also known colloquially as the Bangladesh Bank cyber heist, was a theft that took place in February 2016. Thirty-five fraudulent instructions were issued by security hackers via the SWIFT network to illegally transfer close to US$1 billion from the Federal Reserve Bank of New York account belonging to Bangladesh Bank, the central bank of Bangladesh. Five of the thirty-five fraudulent instructions were successful in transferring US$101 million, with US$81 million traced to the Philippines and US$20 million to Sri Lanka. The Federal Reserve Bank of New York blocked the remaining thirty transactions, amounting to US$850 million, due to suspicions raised by a misspelled instruction. As of 2018, only around US$18 million of the US$81 million transferred to the Philippines has been recovered, and all the money transferred to Sri Lanka has since been recovered. Most of the money transferred to the Philippines went to four personal accounts, held by single individuals, and not to companies or corporations.

Dridex, also known as Bugat and Cridex, is a form of malware that specializes in stealing bank credentials via a system that utilizes macros from Microsoft Word.

In 2015 and 2016, a series of cyberattacks using the SWIFT banking network were reported, resulting in the successful theft of millions of dollars. The attacks were perpetrated by a hacker group known as APT 38 whose tactics, techniques and procedure overlap with the infamous Lazarus Group who are believed to be behind the Sony attacks. Experts agree that APT 38 was formed following the March 2013 sanctions and the first known operations connected to this group occurred in February 2014. If the attribution to North Korea is accurate, it would be the first known incident of a state actor using cyberattacks to steal funds.

<span class="mw-page-title-main">WannaCry ransomware attack</span> 2017 worldwide ransomware cyberattack

The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. It was propagated using EternalBlue, an exploit developed by the United States National Security Agency (NSA) for Windows systems. EternalBlue was stolen and leaked by a group called The Shadow Brokers a month prior to the attack. While Microsoft had released patches previously to close the exploit, much of WannaCry's spread was from organizations that had not applied these, or were using older Windows systems that were past their end of life. These patches were imperative to cyber security, but many organizations did not apply them, citing a need for 24/7 operation, the risk of formerly working applications breaking because of the changes, lack of personnel or time to install them, or other reasons.

Cryptocurrency and crime describe notable examples of cybercrime related to theft of cryptocurrencies and some methods or security vulnerabilities commonly exploited. Cryptojacking is a form of cybercrime specific to cryptocurrencies used on websites to hijack a victim's resources and use them for hashing and mining cryptocurrency.

<span class="mw-page-title-main">Sandworm (hacker group)</span> Russian hacker group

Sandworm is an advanced persistent threat operated by Military Unit 74455, a cyberwarfare unit of the GRU, Russia's military intelligence service. Other names for the group, given by cybersecurity researchers, include APT44, Telebots, Voodoo Bear, IRIDIUM, Seashell Blizzard, and Iron Viking.

<span class="mw-page-title-main">Park Jin Hyok</span> North Korean computer programmer and hacker

Park Jin Hyok (Korean: 박진혁) is a North Korean programmer and hacker. He is best known for his alleged involvement in some of the costliest computer intrusions in history. Park is on the FBI's wanted list. North Korea denies his existence.

References

  1. "North Korea Designations; Global Magnitsky Designation". U.S. Department of the Treasury. 2019. LAZARUS GROUP (a.k.a. "APPLEWORM"; a.k.a. "APT-C-26"; a.k.a. "GROUP 77"; a.k.a. "GUARDIANS OF PEACE"; a.k.a. "HIDDEN COBRA"; a.k.a. "OFFICE 91"; a.k.a. "RED DOT"; a.k.a. "TEMP.HERMIT"; a.k.a. "THE NEW ROMANTIC CYBER ARMY TEAM"; a.k.a. "WHOIS HACKING TEAM"; a.k.a. "ZINC"), Potonggang District...
  2. "Lazarus Group | InsightIDR Documentation". Rapid7. Andariel, Appleworm, APT-C-26, APT38, Bluenoroff, Bureau 121, COVELLITE, Dark Seoul, GOP, Group 77, Guardian of Peace, Guardians of Peace, Hastati Group, HIDDEN COBRA, Labyrinth Chollima, Lazarus, NewRomantic Cyber Army Team, NICKEL ACADEMY, Operation AppleJesus, Operation DarkSeoul, Operation GhostSecret, Operation Troy, Silent Chollima, Subgroup: Andariel, Subgroup: Bluenoroff, Unit 121, Whois Hacking Team, WHOis Team, ZINC
  3. "NICKEL ACADEMY | Secureworks". secureworks.com. Black Artemis (PWC), COVELLITE (Dragos), CTG-2460 (SCWX CTU), Dark Seoul, Guardians of Peace, HIDDEN COBRA (U.S. Government), High Anonymous, Labyrinth Chollima (CrowdStrike), New Romanic Cyber Army Team, NNPT Group, The Lazarus Group, Who Am I?, Whois Team, ZINC (Microsoft)
  4. "HIDDEN COBRA – North Korea's DDoS Botnet Infrastructure | CISA". us-cert.cisa.gov. CISA. 2017.
  5. "Lazarus Group, HIDDEN COBRA, Guardians of Peace, ZINC, NICKEL ACADEMY, Group G0032 | MITRE ATT&CK®". MITRE ATT&CK. MITRE Corporation.
  6. "How Microsoft names threat actors". Microsoft. Retrieved 21 January 2024.
  7. "Microsoft and Facebook disrupt ZINC malware attack to protect customers and the internet from ongoing cyberthreats". Microsoft on the Issues. 2017-12-19. Retrieved 2019-08-16.
  8. "FBI thwarts Lazarus-linked North Korean surveillance malware". IT PRO. 13 May 2019. Retrieved 2019-08-16.
  9. Guerrero-Saade, Juan Andres; Moriuchi, Priscilla (January 16, 2018). "North Korea Targeted South Korean Cryptocurrency Users and Exchange in Late 2017 Campaign". Recorded Future. Archived from the original on January 16, 2018.
  10. 1 2 "Drugs, arms, and terror: A high-profile defector on Kim's North Korea". BBC News. 2021-10-10. Retrieved 2021-10-11.
  11. "Who is Lazarus? North Korea's Newest Cybercrime Collective". www.cyberpolicy.com. Retrieved 2020-08-26.
  12. Beedham, Matthew (2020-01-09). "North Korean hacker group Lazarus is using Telegram to steal cryptocurrency". Hard Fork | The Next Web. Retrieved 2020-08-26.
  13. 1 2 "North Korean Regime-Backed Programmer Charged With Conspiracy to Conduct Multiple Cyber Attacks and Intrusions". www.justice.gov. 2018-09-06. Retrieved 2022-01-14.
  14. "BBC World Service - The Lazarus Heist, 10. Kill switch". BBC. 20 June 2021. Retrieved 2022-04-21.
  15. "Security researchers say mysterious 'Lazarus Group' hacked Sony in 2014". The Daily Dot. 24 February 2016. Retrieved 2016-02-29.
  16. "SWIFT attackers' malware linked to more financial attacks". Symantec. 2016-05-26. Retrieved 2017-10-19.
  17. 1 2 3 Ashok, India (2017-10-17). "Lazarus: North Korean hackers suspected to have stolen millions in Taiwan bank cyberheist". International Business Times UK. Retrieved 2017-10-19.
  18. "Two bytes to $951m". baesystemsai.blogspot.co.uk. Retrieved 2017-05-15.
  19. "Cyber attacks linked to North Korea, security experts claim". The Telegraph. 2017-05-16. Retrieved 2017-05-16.
  20. Solon, Olivia (2017-05-15). "WannaCry ransomware has links to North Korea, cybersecurity experts say". The Guardian. ISSN   0261-3077 . Retrieved 2017-05-16.
  21. GReAT – Kaspersky Lab's Global Research & Analysis Team (2017-03-03). "Lazarus Under The Hood". Securelist. Retrieved 2017-05-16.
  22. The WannaCry Ransomware Has a Link to Suspected North Korean Hackers (2017-03-03). "The Wired". Securelist. Retrieved 2017-05-16.
  23. "More evidence for WannaCry 'link' to North Korean hackers". BBC News. 2017-05-23. Retrieved 2017-05-23.
  24. "The Sony Hackers Were Causing Mayhem Years Before They Hit the Company". WIRED. Retrieved 2016-03-01.
  25. "Sony Got Hacked Hard: What We Know and Don't Know So Far". WIRED. Retrieved 2016-03-01.
  26. "A Breakdown and Analysis of the December, 2014 Sony Hack". www.riskbasedsecurity.com. 5 December 2014. Archived from the original on 2016-03-04. Retrieved 2016-03-01.
  27. Van Buskirk, Peter (2016-03-01). "Five Reasons Why Operation Blockbuster Matters". Novetta. Archived from the original on 2017-07-07. Retrieved 2017-05-16.
  28. "Novetta Exposes Depth of Sony Pictures Attack — Novetta". 24 February 2016. Archived from the original on 27 January 2018. Retrieved 19 June 2016.
  29. "Kaspersky Lab helps to disrupt the activity of the Lazarus Group responsible for multiple devastating cyber-attacks | Kaspersky Lab". www.kaspersky.com. Archived from the original on 2016-09-01. Retrieved 2016-02-29.
  30. "Operation blockbuster (page 28)" (PDF). United States Naval Academy. 2018.
  31. Schram, Jamie (22 March 2016). "Congresswoman wants probe of 'brazen' $81M theft from New York Fed". New York Post.
  32. Shapiro, Scott (2023). Fancy Bear Goes Phishing: The dark history of the information age, in five extraordinary hacks (1st ed.). New York: Farrar, Straus and Giroux. p. 316. ISBN   978-0-374-60117-1.
  33. "Cybercriminal Lazarus group hacked Bangladesh Bank". thedailystar.net. April 20, 2017. Retrieved 13 May 2021.
  34. "US charges North Korean over Bangladesh Bank hack". finextra.com. 6 September 2018. Retrieved 13 May 2021.
  35. "How to defend against TCP port 445 and other SMB exploits". SearchSecurity. Retrieved 2022-01-14.
  36. Storm, Darlene (2016-04-13). "Cryptoworms: The future of ransomware hell". Computerworld. Retrieved 2022-01-14.
  37. 1 2 3 4 10. Kill switch, 2021-06-20, retrieved 2022-01-14
  38. 1 2 3 Al Ali, Nour (2018-01-16). "North Korean Hacker Group Seen Behind Crypto Attack in South". Bloomberg.com. Retrieved 2018-01-17.
  39. 1 2 Kharpal, Arjun (2018-01-17). "North Korea government-backed hackers are trying to steal cryptocurrency from South Korean users". CNBC. Retrieved 2018-01-17.
  40. 1 2 Mascarenhas, Hyacinth (2018-01-17). "Lazarus: North Korean hackers linked to Sony hack were behind cryptocurrency attacks in South Korea". International Business Times UK. Retrieved 2018-01-17.
  41. Limitone, Julia (2018-01-17). "Bitcoin, cryptocurrencies targeted by North Korean hackers, report reveals". Fox Business. Retrieved 2018-01-17.
  42. Ashford, Warwick (2018-01-17). "North Korean hackers tied to cryptocurrency attacks in South Korea". Computer Weekly. Retrieved 2018-01-17.
  43. "South Korean crypto exchange files for bankruptcy after hack". The Straits Times. 2017-12-20. Retrieved 2018-01-17.
  44. "Bitcoin exchanges targeted by North Korean hackers, analysts say". MSN Money. 2017-12-21. Archived from the original on 2018-01-18. Retrieved 2018-01-17.
  45. "NiceHash security breach investigation update – NiceHash". NiceHash. Retrieved 2018-11-13.
  46. 1 2 Volz (September 16, 2019). "U.S. Targets North Korean Hacking as National-Security Threat". MSN. Retrieved September 16, 2019.
  47. Stubbs, Jack (November 27, 2020). "Exclusive: Suspected North Korean hackers targeted COVID vaccine maker AstraZeneca – sources". Reuters.
  48. 1 2 Newman, Lily Hay. "North Korea Targets—and Dupes—a Slew of Cybersecurity Pros". Wired. ISSN   1059-1028 . Retrieved 2023-03-17.
  49. 1 2 "New campaign targeting security researchers". Google. 2021-01-25. Retrieved 2023-03-13.
  50. 1 2 Intelligence, Microsoft Threat Intelligence Center (MSTIC), Microsoft Defender Threat (2021-01-28). "ZINC attacks against security researchers". Microsoft Security Blog. Retrieved 2023-03-13.{{cite web}}: CS1 maint: multiple names: authors list (link)
  51. 1 2 "North Korea–linked Lazarus Group responsible for nearly 20% of crypto losses—more than $300 million worth—in 2023". Fortune Crypto. Retrieved 2023-12-15.
  52. "North Korean hackers target gamers in $615m crypto heist - US". BBC News. 2022-04-15. Retrieved 2022-04-15.
  53. "FBI Confirms Lazarus Group Cyber Actors Responsible for Harmony's Horizon Bridge Currency Theft". Federal Bureau of Investigation. Retrieved 2023-03-22.
  54. Satter, Raphael (2023-06-13). "North Korean hackers stole $100 million in recent cryptocurrency heist, analysts say". Reuters. Retrieved 2023-12-05.
  55. "FBI Identifies Cryptocurrency Funds Stolen by DPRK". FBI. August 22, 2023.
  56. "FBI Identifies Lazarus Group Cyber Actors as Responsible for Theft of $41 Million from Stake.com". FBI. September 6, 2023.
  57. "North Korea Designation Update". U.S. Department of the Treasury. Retrieved 2022-04-15.
  58. D'Cruze, Danny (2024-07-29). "WazirX hacked: North Korean hackers behind $235 million theft from Indian investors, report reveals". Business Today. Retrieved 2024-07-31.
  59. "How barely connected North Korea became a hacking superpower". South China Morning Post. 1 February 2018. Retrieved 10 October 2021.
  60. https://archive.today/20171221172454/https://www.nbcnews.com/news/north-korea/how-north-korea-recruits-trains-its-army-hackers-n825521
  61. https://archive.today/20241203012603/https://www.dailynk.com/english/a-look-at-mirim-college-hotbed-of/
  62. EST, Jason Murdock On 3/9/18 at 9:54 AM (2018-03-09). "As Trump cozies up to Kim Jong-un, North Korean hackers target major banks". Newsweek. Retrieved 2019-08-16.{{cite web}}: CS1 maint: numeric names: authors list (link)
  63. 1 2 3 4 5 "Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups". U.S. Department of the Treasury. 2019.
  64. 1 2 3 4 5 6 Healthcare Sector Cybersecurity Coordination Center, (HC3) (2021). "North Korean Cyber Activity" (PDF). U.S. Department of Health & Human Services.{{cite web}}: CS1 maint: numeric names: authors list (link)
  65. Meyers, Adam (2018-04-06). "STARDUST CHOLLIMA | Threat Actor Profile | CrowdStrike" . Retrieved 2019-08-16.
  66. Lazarus APT Spinoff Linked to Banking Hacks | Threatpost
  67. 1 2 3 "North Korean Tactics" (PDF). Federation of American Scientists. U.S. Army. 2020. pp. E-1, E-2.
  68. "FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks | CISA". 24 October 2020.
  69. Alperovitch, Dmitri (2014-12-19). "FBI Implicates North Korea in Destructive Attacks" . Retrieved 2019-08-16.
  70. Sang-Hun, Choe (2017-10-10). "North Korean Hackers Stole U.S.-South Korean Military Plans, Lawmaker Says". The New York Times. ISSN   0362-4331 . Retrieved 2019-08-16.
  71. Huss, Darien. "North Korea Bitten by Bitcoin Bug" (PDF). proofpoint.com. Retrieved 2019-08-16.
  72. Cimpanu, Catalin (February 17, 2021). "US charges two more members of the 'Lazarus' North Korean hacking group". ZDNet. Retrieved 2021-02-20.
  73. "Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes Across the Globe". US Dept of Justice. 17 February 2021. Archived from the original on 8 April 2023.

Sources

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.