sb-as logo
Story image

Lazarus Group linked to phishing attacks on cryptocurrency sector

28 Aug 2020

Cybersecurity firm F-Secure has published new research suggesting that the advanced persistent threat (APT) group Lazarus Group, also known as APT38, is behind a recent attack against a company working in the cryptocurrency space.

The attack was part of a wider campaign that targeted cryptocurrency businesses in countries including Japan, Singapore, China, South Korea, Hong Kong, the Philippines, the United States, Canada, Argentina, the United Kingdom, the Netherlands, Estonia, and Germany. The wider campaign involved phishing campaigns that have been ongoing since January 2018, if not earlier.

In this case, the attacks were launched through a phishing document sent via LinkedIn to employees at the targeted organisation. This phishing document was styled to look like a job advertisement for a role in a blockchain company.

F-Secure director of detection and response, Matt Lawrence, says the research is based on insights from the company’s incident response, tactical defence, and managed detection and response.

“This attack bears a number of similarities with known Lazarus Group activity, so we’re confident they were behind the incident. The evidence also suggests this is part of an ongoing campaign targeting organisations in over a dozen countries, which makes the attribution important,” he notes.

The research points out the ‘malicious implants’ used in the attack were almost identical to tools previously used by Lazarus Group in the past.  While the group is evolving its toolset over time, there are opportunities for organisations to create defences and protect themselves against further attacks.

F-Secure also says that Lazarus Group invests ‘significant’ effort in evading an organisation’s defences. It does this by disabling antivirus software on host devices and removing all traces of evidence of its malware.

“The target in this investigation had a leading EDR and network security tool installed that captured telemetry of Lazarus Groups actions, but this did not result in a positive detection that was actioned. It is F-Secure’s view that people play an important role in building effective detection capability, and this incident serves as an example of the need to invest in people as well as technology.”

According to F-Secure, Lazarus Group’s interests ‘reportedly align’ with the Democratic People’s Republic of Korea (DPRK).  This claim is backed up by numerous government bodies, including those belonging to the United Kingdom and the United States.

The United States Department of Treasury states, “Created by the North Korean Government as early as 2007, this malicious cyber group is subordinate to the 110th Research Center, 3rd Bureau of the RGB.  The 3rd Bureau is also known as the 3rd Technical Surveillance Bureau and is responsible for North Korea’s cyber operations.”

“In addition to the RGB’s role as the main entity responsible for North Korea’s malicious cyber activities, the RGB is also the principal North Korean intelligence agency and is involved in the trade of North Korean arms.”

The Lazarus Group has also been named as the APT behind the 2017 WannaCry ransomware attacks.