Kaspersky Lab revealed new details about Lazarus operations, a group of hackers responsible for high-tech bank robberies, as well as a link to North Korea. Credit: frankieleon Kaspersky Lab found a “direct link” between the Lazarus group banking heist hackers and North Korea.While Lazarus is a notorious cyber-espionage and sabotage group, a subgroup of Lazarus, called Bluenoroff by Kaspersky researchers, focuses only on financial attacks with the goal of “invisible theft without leaving a trace.”The group has four main types of targets: financial institutions, casinos, companies involved in the development of financial trade software and crypto-currency businesses.Although Lazarus has attacked manufacturing companies, media and financial institutions in at least 18 countries since 2009, Lazarus/Bluenoroff regrouped at the end of 2016, and Kaspersky Lab said the group “rushed into new countries, selecting mostly poorer and less developed locations, hitting smaller banks because they are, apparently, easy prey.” Kaspersky has identified Bluenoroff watering hole attacks in Poland, Uruguay, Nigeria, the Russian Federation, Mexico, India, Peru, Norway and Australia.The group seems to favor the strategy of silently integrating into running processes without breaking them. Kaspersky Lab says Bluenoroff’s malware “might be secretly deployed now in many other places, and it isn’t triggering any serious alarms because it’s much more quiet.” The group starts by using a simple backdoor that doesn’t have much impact on the group if it is burned. If, however, the first stage backdoor reports an interesting infection, then the group deploys more advanced code and persistent backdoor, which is carefully protected from accidental detection.But a hacker in the group did mess. Forensic analysis on a hacked server in Europe revealed that the attacker “used multiple IPs: from France to Korea, connecting via proxies and VPN servers. However, one short connection was made from a very unusual IP range, which originates in North Korea.”The logs were likely not wiped because the hacker installed Monero cryptocurrency mining software, which locked up the system.“The software so intensely consumed system resources that the system became unresponsive and froze,” Kaspersky Lab said. “This could be the reason why it was not properly cleaned, and the server logs were preserved.”Kaspersky Lab said, “Lazarus is not just another APT actor,” but it didn’t go as far as to name the North Korean government. The security firm did say, however, “the level of sophistication is something that is not generally found in the cybercriminal world. It’s something that requires strict organization and control at all stages of operation. That’s why we think that Lazarus is not just another APT actor.”This is not the first time researchers have suggested Lazarus is linked to North Korea. Some of the banking heists had similar coding techniques as those used in the 2014 Sony hack. Kaspersky didn’t rule out the possibility that the North Korean IP could be a false flag such as when the group inserted Russian commands into its malware, using words that were inaccurately translated via online tools, in an attempt to make attribution more difficult and to send researchers sniffing a false lead. Nevertheless, Kaspersky researchers said, “This is the first time we have seen a direct link between Bluenoroff and North Korea.” But “is it North Korea behind all the Bluenoroff attacks after all? As researchers, we prefer to provide facts rather than speculations. Still, seeing IP in the C2 log, does make North Korea a key part of the Lazarus Bluenoroff equation.”Kaspersky Lab detected Bluenoroff malware samples in March 2017, “showing that attackers have no intention of stopping.”“We’re sure they’ll come back soon,” said Vitaly Kamluk, head of the Global Research and Analysis Team APAC at Kaspersky Lab. “In all, attacks like the ones conducted by Lazarus group show that a minor misconfiguration may result in a major security breach, which can potentially cost a targeted business hundreds of millions of dollars in loss. We hope that chief executives from banks, casinos and investment companies around the world will become wary of the name Lazarus.”Kaspersky researchers discussed the group’s infiltration methods and relation to attacks on SWIFT software used in banks for transactions. Additionally, the security firm released “crucial Indicators of Compromise (IOC) and other data to help organizations search for traces of these attack groups in their corporate networks.” Researchers urged “all organizations to carefully scan their networks for the presence of Lazarus malware samples, and if detected, to disinfect their systems and report the intrusion to law enforcement and incident response teams.” Related content news Dow Jones watchlist of high-risk businesses, people found on unsecured database A Dow Jones watchlist of 2.4 million at-risk businesses, politicians, and individuals was left unprotected on public cloud server. By Ms. Smith Feb 28, 2019 4 mins Data Breach Hacking Security news Ransomware attacks hit Florida ISP, Australian cardiology group Ransomware attacks might be on the decline, but that doesn't mean we don't have new victims. A Florida ISP and an Australian cardiology group were hit recently. By Ms. Smith Feb 27, 2019 4 mins Ransomware Security news Bare-metal cloud servers vulnerable to Cloudborne flaw Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks. By Ms. Smith Feb 26, 2019 3 mins Cloud Computing Security news Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR By Ms. Smith Feb 21, 2019 4 mins Hacking Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe