Lazarus Group targets medical research and energy
Researchers at WithSecure have uncovered a cyberattack campaign linked back to North Korea's notorious Lazarus Group.
It is extremely rare to be able to link a campaign so strongly to a perpetrator as WithSecure has been able to do here. The Hackers have been targeting medical research and energy organizations with the intent to commit espionage.
Targets include a healthcare research organization, a manufacturer of technology used in the energy, research, defense, and healthcare sectors, as well as the chemical engineering department of a leading research university.
There are several interesting elements to this campaign compared to previous Lazarus activity. These include the use of new infrastructure, with the sole reliance on IP addresses without domain names (in a departure from previous attacks).
There's also a modified version of the Dtrack information stealing malware used by Lazarus Group and Kimsuky -- another group associated with North Korea -- in previous attacks, along with a new version of GREASE -- malware that allows attackers to create new administrator accounts with remote desktop protocol privileges that bypasses firewalls.
"While this was initially suspected to be an attempted BianLian ransomware attack, the evidence we collected quickly pointed in a different direction. And as we collected more evidence we became more confident that the attack was conducted by a group connected to the North Korean government, eventually leading us to confidently conclude it was the Lazarus Group," says WithSecure's senior threat intelligence researcher Sami Ruohonen.
The attack was identified partly due to an error where the attackers briefly made use of one of less than a thousand IP addresses belonging to North Korea.
But WithSecure's head of threat intelligence Tim West says this is no cause for complacency, "In spite of the opsec fails, the actor demonstrated good tradecraft and still managed to perform considered actions on carefully selected endpoints. Even with accurate endpoint detection technologies, organizations need to continually consider how they respond to alerts, and also integrate focused threat intelligence with regular hunts to provide better defense in depth, particularly against capable and adept adversaries."
The full report is available on the WithSecure site.
Image credit: tang90246/depositphotos.com