Lazarus Group hackers target cryptocurrency in global campaign

Researchers at F-Secure have uncovered a targeted, advanced attack on a cryptocurrency organization which they have linked to the Lazarus Group, and believe is part of a global, and financially motivated, hacking campaign.

Lazarus has been linked to the now infamous WannaCry attacks of 2017. This latest report identifies the tactics, techniques, and procedures (TTPs) used during the attack, such as spearphishing via a service (in this case, using LinkedIn to send a fake job offer tailored to the recipient’s profile).

"Our research, which included insights from our incident response, managed detection and response, and tactical defense units, found that this attack bears a number of similarities with known Lazarus Group activity, so we're confident they were behind the incident," says F-Secure director of detection and response, Matt Lawrence. "The evidence also suggests this is part of an ongoing campaign targeting organizations in over a dozen countries, which makes the attribution important. Companies can use the report to familiarize themselves with this incident, the TTPs, and Lazarus Group in general, to help protect themselves from future attacks."

Based on phishing artifacts recovered from the attack, F-Secure's researchers have been able to link the incident to a wider, ongoing campaign that’s been running since at least January 2018. Similar artifacts have been used in campaigns in at least 14 other countries.

The research shows that Lazarus Group made significant effort to evade the target organization's defenses during the attack, such as disabling anti-virus software on the compromised hosts, and removing evidence of their malicious implants.

The full report is available from the F-Secure site.

Image credit: Elnur_/depositphotos.com