sb-au logo
Story image

Lazarus Group linked to phishing attacks on cryptocurrency sector

28 Aug 2020

Cybersecurity firm F-Secure has published new research suggesting that the advanced persistent threat (APT) group Lazarus Group, also known as APT38, is behind a recent attack against a company working in the cryptocurrency space.

The attack was part of a wider campaign that targeted cryptocurrency businesses in countries including Japan, Singapore, China, South Korea, Hong Kong, the Philippines, the United States, Canada, Argentina, the United Kingdom, the Netherlands, Estonia, and Germany. The wider campaign involved phishing campaigns that have been ongoing since January 2018, if not earlier.

In this case, the attacks were launched through a phishing document sent via LinkedIn to employees at the targeted organisation. This phishing document was styled to look like a job advertisement for a role in a blockchain company.

F-Secure director of detection and response, Matt Lawrence, says the research is based on insights from the company’s incident response, tactical defence, and managed detection and response.

“This attack bears a number of similarities with known Lazarus Group activity, so we’re confident they were behind the incident. The evidence also suggests this is part of an ongoing campaign targeting organisations in over a dozen countries, which makes the attribution important,” he notes.

The research points out the ‘malicious implants’ used in the attack were almost identical to tools previously used by Lazarus Group in the past.  While the group is evolving its toolset over time, there are opportunities for organisations to create defences and protect themselves against further attacks.

F-Secure also says that Lazarus Group invests ‘significant’ effort in evading an organisation’s defences. It does this by disabling antivirus software on host devices and removing all traces of evidence of its malware.

“The target in this investigation had a leading EDR and network security tool installed that captured telemetry of Lazarus Groups actions, but this did not result in a positive detection that was actioned. It is F-Secure’s view that people play an important role in building effective detection capability, and this incident serves as an example of the need to invest in people as well as technology.”

According to F-Secure, Lazarus Group’s interests ‘reportedly align’ with the Democratic People’s Republic of Korea (DPRK).  This claim is backed up by numerous government bodies, including those belonging to the United Kingdom and the United States.

The United States Department of Treasury states, “Created by the North Korean Government as early as 2007, this malicious cyber group is subordinate to the 110th Research Center, 3rd Bureau of the RGB.  The 3rd Bureau is also known as the 3rd Technical Surveillance Bureau and is responsible for North Korea’s cyber operations.”

“In addition to the RGB’s role as the main entity responsible for North Korea’s malicious cyber activities, the RGB is also the principal North Korean intelligence agency and is involved in the trade of North Korean arms.”

The Lazarus Group has also been named as the APT behind the 2017 WannaCry ransomware attacks.

Download image
Equinix study: Firms turn to NFV to support distributed networks
Decision-makers looking for a solution that virtualises a wide range of network functions should evaluate NFV, study finds.More
Story image
Video: 10 Minute IT Jams - The benefits of converged cloud security
Today, Techday speaks to Forcepoint senior sales engineer and solutions architect Matthew Bant, who discusses the benefits of a converged cloud security model, and the pandemic's role in complicating the security stack in organisations around the world.More
Story image
Fast track your digital transformation with dynamic security services from Fortinet
Jon McGettigan, Fortinet A/NZ Regional Director, explains how enterprises can speed up their network service delivery programmes by embracing Fortinet’s dynamic security services.More
Link image
Webinar: Best practices for managing disparate security solutions
As budgets get more constrained, the emphasis shifts from merely finding threats to increased efficiency in managing security operations. Learn how to juggle a crowded field of solutions.More
Link image
VR a leading factor in edge computing, says Gartner
Edge architectures and technologies, including VR, will be an essential component of innovative products and services.More
Story image
Ripple20 threat has potential for 'vast exploitation', ExtraHop researchers find
One in three IT environments are vulnerable to a cyber threat known as Ripple20. This is according to a new report from ExtraHop, a cloud-native network detection and response solutions provider. More