From North Korea, The Lazarus Group. Cyber ​​warriors or cyber criminals?

(To Ciro Metuarata)
15/02/18

Being able to orientate correctly in that huge "gray area" that is becoming cyber-space is a very complex undertaking. Being able to establish who really is the executor and who the instigator of a cyber attack, especially in the context of judicial investigations, is even more so. However, in the context of the increasingly vast and varied world of hackers, it is possible to identify some criminal groups able to conduct cyber campaigns that have a global resonance.

Therefore, we dedicate a series of articles to the groups of cyber criminals considered most relevant at the planetary level, briefly reviewing their deeds. Before starting, however, it is necessary to make some prerequisites.

PrimaAs mentioned earlier, these are criminal hackers, very different from the so-called "ethical" hackers who, in many cases, constitute a precious resource but, too often, not sufficiently valued. The ethical hackers, in fact, do not derive any profit from their actions (except personal gratification) but, on the contrary, help the entities object of their attention to improve the security of the IT systems used, discovering and signaling any vulnerabilities, in advance of the real malicious.

Second: the names attributed to criminal groups are generally not the real ones, but are assigned by researchers or investigators who can identify them. Therefore, in the consideration that it often happens that a group is given more than one name, with the consequence of creating confusion, the articles will use the aliases on which most of the research carried out on them converges.

Third: both the geographical origin of these groups and their composition (criminals, intelligence operators, military, political activists, etc.), in general, are established on the basis of complex investigations that can not completely eliminate the uncertainties. In particular, researchers analyze and correlate the traces left by hackers during and after attacks such as, for example, the passwords used, the fragments of code with which the malware was written, the encryption keys, the masking techniques used. to divert the investigators, the command and control structures put in place and other peculiar elements recognizable in the tactics and techniques used by each group.

Based on this evidence, therefore, cybersecurity companies, research centers and even intelligence, identify groups of hackers and assign them their names that, as mentioned, are not always shared. Ultimately, such groups are not yet able to discover much and the impenetrable halo of secrecy that surrounds them allows them to carry out their criminal acts for the time being, with impunity.

Given these premises, let's move on to the group recently brought into play by none other than the White House: The Lazarus Group.

Specifically, in recent weeks the US government has indicated North Korea as the instigator of the devastating cyber attack of global reach, known as WannaCryptor (v.articolo). According to American investigators, moreover, the material executor would have been a group of hackers who in the past have already distinguished themselves in other cyber operations, connected with the North Korean regime: The Lazarus Groupin fact. However, apart from the presumed nationality, the genesis and composition of the group is not yet known much, so much so that it is not clear whether it is cyber criminals hired by the North Korean regime or if, rather, it is a working cell of the phantom "Unity 180 "of the Reconnaissance General Bureau. In any case, Lazarus has a peculiarity: it has offensive capacity in exponential growth and very diversified objectives worldwide. Specifically, the researchers noted that, if so far Lazarus has never developed particularly sophisticated malware, on the other hand has a strong ability to produce new ones with apparent ease. In essence the group is able to learn or devise methods of attack with a speed that is difficult to find in other cyber criminal cells. Furthermore, it is known that Lazarus It operates globally and is capable of conducting campaigns that target very different activities: armed forces, financial institutions (even those dealing with crypto currencies), companies in the energy sector and other types of private companies such as Sony which, as we will see later, in spite of himself, she was involved in a dispute between the US and North Korea.

The curriculum of Lazarus it is therefore particularly full-bodied, reflecting its dynamism and ruthlessness. In particular, already starting from 2007, the group would have been recognized for conducting some espionage campaigns and sabotage aimed at multiple objectives.

Subsequently, in the 2013 it would have been distinguished for having perpetrated cyber attacks against some banks and communications companies located in South Korea.

However, it is the 2014 the year in which Lazarus He rose to the forefront of the news, when he was attributed by the Federal Bureau of Investigation, the resounding attack on the servers of the company Sony Picture Entertainment. More precisely, the November 24 network of this company was brought to its knees by a cyber attack and a huge amount of personal data of employees was exfiltrated to an unknown destination. All of this happened at the launch of the American satirical film The Interview, distributed by Sony and judged to be a real outrage to the North Korean regime. Later, despite US retaliation, it was not long in terms of economic sanctions or cybernetic retaliation (with uncertain results), Lazarus he quickly resumed his cyber operations.

The following year, in fact, was characterized by several cyber campaigns attributed to the group in question, aimed at South Korean, US and, more limited, located in other countries, conducted through numerous malware, with different characteristics and purposes. ("Destruction" of data, rather than espionage) such as Hangman, Destrover, DeltaCharlie or WildPositron just to name a few.

In February 2016, however, a Lazarus the partially successful attempt of cyber robbery with the biggest loot ever recorded in history has been attributed: the cyber attack on the Central Bank of Bangladesh. More precisely, during two days of closure of the Central Bank, the group managed, bypassing its security systems, to order the transfer of almost 1 billion US dollars to the US Federal Reserve and from there to some current accounts in Sri Lanka and the Philippines. . Fortunately, the US institution blocked the largest tranche of the transfer and a certain amount was recovered in the following months. However, more than 60 million dollars would have lost track thanks to the numerous steps on current accounts spread across Southeast Asia. This story has raised many questions about the real nature and purpose of Lazarus, still unresolved. Was it an attempt to bring the Bangladeshi economy to its knees (in itself far from flourishing) and destabilize that country or, rather, a "vulgar" robbery?

The fact is that, later, in the 2016 - 2017 period, through the cyber campaign based on malware baptized Ratankba, the group would again focus on financial institutions, this time, belonging to half the world.

Finally, after the global attack with WannaCryptor, which has already been written, at the end of last year Lazarus he is interested in the growing business of crypto currencies and, specifically, a London banking institution, whose employees have been "targeted" by e-mails containing attachments or links to websites, compromised by a specially "packaged" malware.

In conclusion, whether it is a North Korean intelligence unit or cyber crime occasionally hired by the regime, The Lazarus Group however, it can be considered a respectable elite unit. Its ability to launch and conduct campaigns of global reach and to "change skin" continuously make it, in fact, particularly effective and extremely dangerous.

Whether it is the heirs of the ancient, fearsome Hwarang warriors (young people belonging to noble families, who were grown and trained to form military leadership) or cyber criminals who have established a profitable association with the regime, The Lazarus Group it is one of the best and most unassailable "armies" of cyber space.

 

Main sources:

https://www.google.it/amp/amp.timeinc.net/fortune/2017/06/22/cybersecuri...

https://www.wired.com/2016/02/sony-hackers-causing-mayhem-years-hit-comp...

https://www.cybersecitalia.it/wannacry-lazarus-group-alleato-della-corea...

http://securityaffairs.co/wordpress/68221/apt/lazarus-apt-arsenal.html

http://securityaffairs.co/wordpress/66780/hacking/lazarus-apt-cryptocurr...

https://www.cybersecitalia.it/wannacry-lazarus-group-alleato-della-corea...

https://www.kaspersky.com/blog/operation-blockbuster/11407/

https://www.reuters.com/article/us-cyber-northkorea-exclusive/exclusive-...

(photo: web)

https://brica.de/alerts/alert/public/1192203/lazarus-apt-group-targets-a...