|Type||Advanced persistent threat|
|Pyongyang, North Korea|
|Methods||Zero-days, spearphishing, malware, disinformation, backdoors, droppers|
|Reconnaissance General Bureau|
Korea Computer Center
|Affiliations||Unit 180, AndAriel (group)|
Guardians of Peace
Lazarus Group (also known by other monikers such as Guardians of Peace or Whois Team) is a cybercrime group made up of an unknown number of individuals. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them over the last decade. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity firms include HIDDEN COBRA (by the United States Intelligence Community) and Zinc (by Microsoft).
The earliest known attack that the group is responsible for is known as "Operation Troy", which took place from 2009 to 2012. This was a cyber-espionage campaign that utilized unsophisticated distributed denial-of-service attack (DDoS) techniques to target the South Korean government in Seoul. They were also responsible for attacks in 2011 and 2013. It is possible that they were also behind a 2007 attack targeting South Korea, but that is still uncertain. A notable attack that the group is known for is the 2014 attack on Sony Pictures. The Sony attack used more sophisticated techniques and highlighted how advanced the group has become over time.
The Lazarus Group were reported to have stolen US$12 million from the Banco del Austro in Ecuador and US$1 million from Vietnam's Tien Phong Bank in 2015. They have also targeted banks in Poland and Mexico. The 2016 bank heist included an attack on the Bangladesh Bank, successfully stealing US$81 million and was attributed to the group. In 2017, the Lazarus group was reported to have stolen US$60 million from the Far Eastern International Bank of Taiwan although the actual amount stolen was unclear, and most of the funds were recovered.
It is not clear who is really behind the group, but media reports have suggested the group has links to North Korea.  Kaspersky Lab reported in 2017 that Lazarus tended to concentrate on spying and infiltration cyberattacks whereas a sub-group within their organisation, which Kaspersky called Bluenoroff, specialised in financial cyberattacks. Kaspersky found multiple attacks worldwide and a direct link (IP address) between Bluenoroff and North Korea.
However, Kaspersky also acknowledged that the repetition of the code could be a “false flag” meant to mislead investigators and pin the attack on North Korea, given that the worldwide WannaCry worm cyber attack copied techniques from the NSA as well. This ransomware leverages an NSA exploit known as EternalBlue that a hacker group known as Shadow Brokers made public in April 2017.  Symantec reported in 2017 that it was "highly likely" that Lazarus was behind the WannaCry attack.
2009 Operation Troy
The next incident took place on July 4, 2009 and sparked the beginning of "Operation Troy." This attack utilized the Mydoom and Dozer malware to launch a large-scale, but quite unsophisticated, DDoS attack against US and South Korean websites. The volley of attacks struck about three dozen websites and placed the text "Memory of Independence Day" in the master boot record (MBR).
2013 South Korea Cyberattack
Over time, attacks from this group have grown more sophisticated; their techniques and tools have become better developed and more effective. The March 2011 attack known as "Ten Days of Rain" targeted South Korean media, financial, and critical infrastructure, and consisted of more sophisticated DDoS attacks that originated from compromised computers within South Korea. The attacks continued on March 20, 2013 with DarkSeoul, a wiper attack that targeted three South Korean broadcast companies, financial institutes, and an ISP. At the time, two other groups going by the personas ″NewRomanic Cyber Army Team and WhoIs Team″, took credit for that attack but researchers did not know the Lazarus Group was behind it at the time. Researchers today know the Lazarus Group as a supergroup behind the disruptive attacks.
Late 2014: Sony breach
The Lazarus Group attacks culminated on November 24, 2014. On that day, a Reddit post appeared stating that Sony Pictures had been hacked via unknown means; the perpetrators identified themselves as the "Guardians of Peace". Large amounts of data were stolen and slowly leaked in the days following the attack. An interview with someone claiming to be part of the group stated that they had been siphoning Sony's data for over a year. 
The hackers were able to access previously unreleased films, emails, and the personal information of around 4,000 employees. 
Early 2016 Investigation: Operation Blockbuster
Under the name ″Operation Blockbuster″, a coalition of security companies, led by Novetta, was able to analyse malware samples found in different cyber-security incidents. Using that data, the team was able to analyse the methods used by the hackers. They linked the Lazarus Group to a number of attacks through a pattern of code re-usage.
Mid 2017 WannaCry Attack
The WannaCry malware that affected as many as 300,000 computers worldwide are likely authored by hackers from southern China, Hong Kong, Taiwan or Singapore, said a US intelligence company. The president of Microsoft attributed the WannaCry attack to North Korea.
2017 cryptocurrency attacks
In 2018, Recorded Future issued a report linking the Lazarus Group to attacks on cryptocurrency Bitcoin and Monero users mostly in South Korea. These attacks were reported to be technically similar to previous attacks using the WannaCry ransomware and the attacks on Sony Pictures. One of the tactics used by Lazarus hackers was to exploit vulnerabilities in Hancom's Hangul, a South Korean word processing software. Another tactic was to use spear-phishing lures containing malware and which were sent to South Korean students and users of cryptocurrency exchanges like Coinlink. If the user opened the malware it stole email addresses and passwords. Coinlink denied their site or users emails and passwords had been hacked. The report concluded that “This late-2017 campaign is a continuation of North Korea’s interest in cryptocurrency, which we now know encompasses a broad range of activities including mining, ransomware, and outright theft...”  The report also said that North Korea was using these cryptocurrency attacks to get round international financial sanctions. North Korean hackers stole US$7 million from Bithumb, a South Korean exchange in February 2017. Youbit, another South Korean Bitcoin exchange company, filed for bankruptcy in December 2017 after 17% of its assets were stolen by cyberattacks following an earlier attack in April 2017. Lazarus and North Korean hackers were blamed for the attacks. Nicehash, a cryptocurrency cloud mining marketplace lost over 4,500 Bitcoin in December 2017. An update about the investigations claimed that the attack is linked to Lazarus Group.
September 2019 attacks
In mid-September 2019, the USA issued a public alert about a new version of malware dubbed ELECTRICFISH. Since the beginning of 2019, North Korean agents have attempted five major cyber-thefts world-wide, including a successful $49 million theft from an institution in Kuwait.
Late 2020 pharmaceutical company attacks
Due to the ongoing COVID-19 pandemic, pharmaceutical companies became major targets for the Lazarus Group. Using spear-phishing techniques, Lazarus Group members posed as health officials and contacted pharmaceutical company employees with malicious links. It is thought that multiple major pharma organizations were targeted, but the only one that's been confirmed was the British-owned AstraZeneca. According to a report by Reuters, a wide range of employees were targeted, including many involved in COVID-19 vaccine research. It is unknown what the Lazarus Group's goal was in these attacks, but the likely possibilities include:
- Stealing sensitive information to be sold for profit.
- Extortion schemes.
- Giving foreign regimes access to proprietary COVID-19 research.
AstraZeneca has not commented on the incident and experts do not believe any sensitive data has been compromised as of yet.
North Korean hackers are sent vocationally to Shenyang, China for special training. They are trained to deploy malware of all types onto computers, computer networks, and servers. Education domestically includes the Kim Chaek University of Technology and Kim Il-sung University.
Lazarus is believed to have two units.
BlueNorOff is a financially motivated group that is responsible for the illegal transfers of money via forging orders from Swift. BlueNorOff is also called APT38 (by Mandiant) and Stardust Chollima (by Crowdstrike).
AndAriel is logistically characterized by its targeting of South Korea. AndAriel's alternative name is called Silent Chollima due to the stealthy nature of the subgroup. Any organization in South Korea is vulnerable to AndAriel. Targets include government and defense and any economic symbol.
In February 2021, the US Department of Justice indicted three members of the Reconnaissance General Bureau, a North Korean military intelligence agency, for having participated in several Lazarus hacking campaigns: Jin Hyok, Jon Chang Hyok and Kim Il. Park Jin Hyok had already been indicted earlier in September 2018. The individuals are not in U.S. custody. A Canadian and two Chinese individuals have also been charged with having acted as money mules and money launderers for the Lazarus group.
- Volz (September 16, 2019). "U.S. Targets North Korean Hacking as National-Security Threat". MSN.
- "Microsoft and Facebook disrupt ZINC malware attack to protect customers and the internet from ongoing cyberthreats". Microsoft on the Issues. 2017-12-19. Retrieved 2019-08-16.
- "FBI thwarts Lazarus-linked North Korean surveillance malware". IT PRO. Retrieved 2019-08-16.
- Guerrero-Saade, Juan Andres; Moriuchi, Priscilla (January 16, 2018). "North Korea Targeted South Korean Cryptocurrency Users and Exchange in Late 2017 Campaign". Recorded Future. Archived from the original on January 16, 2018.
- "Who is Lazarus? North Korea's Newest Cybercrime Collective". www.cyberpolicy.com. Retrieved 2020-08-26.
- Beedham, Matthew (2020-01-09). "North Korean hacker group Lazarus is using Telegram to steal cryptocurrency". Hard Fork | The Next Web. Retrieved 2020-08-26.
- "PARK JIN HYOK". Federal Bureau of Investigation. Retrieved 2020-08-26.
- "Security researchers say mysterious 'Lazarus Group' hacked Sony in 2014". The Daily Dot. Retrieved 2016-02-29.
- "SWIFT attackers' malware linked to more financial attacks". Symantec. 2016-05-26. Retrieved 2017-10-19.
- Ashok, India (2017-10-17). "Lazarus: North Korean hackers suspected to have stolen millions in Taiwan bank cyberheist". International Business Times UK. Retrieved 2017-10-19.
- "Two bytes to $951m". baesystemsai.blogspot.co.uk. Retrieved 2017-05-15.
- "Cyber attacks linked to North Korea, security experts claim". The Telegraph. 2017-05-16. Retrieved 2017-05-16.
- Solon, Olivia (2017-05-15). "WannaCry ransomware has links to North Korea, cybersecurity experts say". The Guardian. ISSN 0261-3077. Retrieved 2017-05-16.
- GReAT - Kaspersky Lab's Global Research & Analysis Team (2017-03-03). "Lazarus Under The Hood". Securelist. Retrieved 2017-05-16.
- The WannaCry Ransomware Has a Link to Suspected North Korean Hackers (2017-03-03). "The Wired". Securelist. Retrieved 2017-05-16.
- "More evidence for WannaCry 'link' to North Korean hackers". BBC News. 2017-05-23. Retrieved 2017-05-23.
- "The Sony Hackers Were Causing Mayhem Years Before They Hit the Company". WIRED. Retrieved 2016-03-01.
- "Sony Got Hacked Hard: What We Know and Don't Know So Far". WIRED. Retrieved 2016-03-01.
- "A Breakdown and Analysis of the December, 2014 Sony Hack". www.riskbasedsecurity.com. Retrieved 2016-03-01.
- Van Buskirk, Peter (2016-03-01). "Five Reasons Why Operation Blockbuster Matters". Novetta. Retrieved 2017-05-16.
- "Novetta Exposes Depth of Sony Pictures Attack — Novetta". 24 February 2016.
- "Kaspersky Lab helps to disrupt the activity of the Lazarus Group responsible for multiple devastating cyber-attacks | Kaspersky Lab". www.kaspersky.com. Archived from the original on 2016-09-01. Retrieved 2016-02-29.
- Linguistic analysis shows WannaCry ransom notes written by southern Chinese, says US intelligence firm (2017-05-15). "The Straits times". Securelist. Retrieved 2017-05-16.
- Harley, Nicola (2017-10-14). "North Korea behind WannaCry attack which crippled the NHS after stealing US cyber weapons, Microsoft chief claims". The Telegraph. ISSN 0307-1235. Retrieved 2017-10-14.
- Al Ali, Nour (2018-01-16). "North Korean Hacker Group Seen Behind Crypto Attack in South". Bloomberg.com. Retrieved 2018-01-17.
- Kharpal, Arjun (2018-01-17). "North Korea government-backed hackers are trying to steal cryptocurrency from South Korean users". CNBC. Retrieved 2018-01-17.
- Mascarenhas, Hyacinth (2018-01-17). "Lazarus: North Korean hackers linked to Sony hack were behind cryptocurrency attacks in South Korea". International Business Times UK. Retrieved 2018-01-17.
- Limitone, Julia (2018-01-17). "Bitcoin, cryptocurrencies targeted by North Korean hackers, report reveals". Fox Business. Retrieved 2018-01-17.
- Ashford, Warwick (2018-01-17). "North Korean hackers tied to cryptocurrency attacks in South Korea". Computer Weekly. Retrieved 2018-01-17.
- "South Korean crypto exchange files for bankruptcy after hack". The Straits Times. 2017-12-20. Retrieved 2018-01-17.
- "Bitcoin exchanges targeted by North Korean hackers, analysts say". MSN Money. 2017-12-21. Archived from the original on 2018-01-18. Retrieved 2018-01-17.
- "NiceHash security breach investigation update - NiceHash". NiceHash. Retrieved 2018-11-13.
- Volz (September 16, 2019). "U.S. Targets North Korean Hacking as National-Security Threat". MSN. Retrieved September 16, 2019.
- Stubbs, Jack (November 27, 2020). "Exclusive: Suspected North Korean hackers targeted COVID vaccine maker AstraZeneca - sources". Reuters.
- EST, Jason Murdock On 3/9/18 at 9:54 AM (2018-03-09). "As Trump cozies up to Kim Jong-un, North Korean hackers target major banks". Newsweek. Retrieved 2019-08-16.
- Meyers, Adam (2018-04-06). "STARDUST CHOLLIMA | Threat Actor Profile | CrowdStrike". Retrieved 2019-08-16.
- Alperovitch, Dmitri (2014-12-19). "FBI Implicates North Korea in Destructive Attacks". Retrieved 2019-08-16.
- Sang-Hun, Choe (2017-10-10). "North Korean Hackers Stole U.S.-South Korean Military Plans, Lawmaker Says". The New York Times. ISSN 0362-4331. Retrieved 2019-08-16.
- Huss, Darien. "North Korea Bitten by Bitcoin Bug" (PDF). proofpoint.com. Retrieved 2019-08-16.
- Cimpanu, Catalin (February 17, 2021). "US charges two more members of the 'Lazarus' North Korean hacking group". ZDNet. Retrieved 2021-02-20.
- Virus News (2016). "Kaspersky Lab Helps to Disrupt the Activity of the Lazarus Group Responsible for Multiple Devastating Cyber-Attacks", Kaspersky Lab.
- RBS (2014). "A Breakdown and Analysis of the December, 2014 Sony Hack". RiskBased Security.
- Cameron, Dell (2016). "Security Researchers Say Mysterious 'Lazarus Group' Hacked Sony in 2014", The Daily Dot.
- Zetter, Kim (2014). "Sony Got Hacked Hard: What We Know and Don't Know So Far", Wired.
- Zetter, Kim (2016). "Sony Hackers Were Causing Mayhem Years Before They Hit The Company", Wired.
- Indictment of Park Jin Hyok, September 2018
- Indictment of Park Jin Hyok, Jon Chang Hyok and Kim Il, January 2020