The Lazarus Group (also known as 'Guardians' or 'Peace or Whois Team') is a hacker organization composed of an unknown number of individuals, reportedly controlled by the North Korean government. Although knowledge of the organization is limited, researchers have attributed multiple cyberattacks to them since 2010.

The organization was initially a criminal gang but has now been recognized as an advanced persistent threat organization due to its attack intentions, threats posed, and various means used during operations. Cybersecurity agencies have given them several nicknames, such as 'Hidden Cobra' (used by the U.S. Department of Homeland Security to refer to malicious cyber activities initiated by the North Korean government), as well as 'ZINC' or 'Diamond Sleet' (Microsoft's term). According to North Korean defector Kim Kuk-song, the organization is known domestically as the '414 Contact Office'.

The Lazarus Group has strong ties to North Korea. The U.S. Department of Justice claims that the organization is part of the North Korean government's strategy to 'disrupt global cybersecurity... and obtain illegal income in violation of sanctions'. North Korea can gain numerous benefits from conducting cyber operations, maintaining a very lean team to pose a 'global' asymmetric threat (especially to South Korea).

Development History

The earliest known attack launched by the organization was the 'Trojan Operation' from 2009 to 2012. This was a cyber espionage operation that utilized relatively simple distributed denial-of-service (DDoS) techniques to target the South Korean government located in Seoul. They also launched attacks in 2011 and 2013. While it cannot be confirmed, a 2007 attack against South Korea may also have been carried out by them. One of the organization's notable attacks occurred in 2014, targeting Sony Pictures. This attack employed more sophisticated techniques and demonstrated the organization’s increasing maturity over time.

Reports indicate that in 2015, the Lazarus Group stole $12 million from Ecuador's Ostro Bank and $1 million from Vietnam's VietinBank. They also targeted banks in Poland and Mexico. In a 2016 bank heist, they attacked a certain bank, successfully stealing $81 million, which is also believed to be the work of the organization. In 2017, there were reports that the Lazarus Group stole $60 million from Taiwan's Far Eastern International Bank, although the actual amount stolen is unclear, and most of the funds have been recovered.

It remains unclear who the true masterminds behind the organization are, but media reports indicate a close association with North Korea. In 2017, Kaspersky Lab reported that the Lazarus Group tends to focus on espionage and infiltration cyberattacks, while a subgroup referred to by Kaspersky as 'Bluenoroff' specializes in financial cyberattacks. Kaspersky has identified multiple attack incidents globally, finding direct IP address connections between Bluenoroff and the country.

However, Kaspersky also acknowledged that the reuse of code might be a 'false flag operation' aimed at misleading investigators and making North Korea take the blame, after all, the global 'WannaCry' worm attack copied techniques from the U.S. National Security Agency. This ransomware exploited the 'EternalBlue' vulnerability developed by the NSA, which was made public in April 2017 by a hacker group known as 'Shadow Brokers'. In 2017, Symantec reported that the 'WannaCry' attack was highly likely attributed to the Lazarus Group.

2009 'Trojan Operation'

The Lazarus Group's first major hacking event occurred on July 4, 2009, marking the beginning of the 'Trojan Operation'. This attack utilized 'MyDoom' and 'Pushdo' malware to launch large-scale but not complex DDoS attacks against U.S. and South Korean websites. This wave of attacks targeted approximately 36 websites and embedded the text 'Independence Day Commemoration' in the Master Boot Record (MBR).

2013 South Korean Cyber Attack ('Operation 1' / 'Dark Seoul' Operation)

Over time, the organization's attack methods have become increasingly sophisticated; their technologies and tools have also become more mature and effective. The 'Ten-Day Rain' attack in March 2011 targeted South Korean media, finance, and critical infrastructure, employing more complex DDoS attacks originating from compromised computers within South Korea. The 'Dark Seoul' operation commenced on March 20, 2013, which was a data-wiping attack targeting three South Korean broadcasting companies, financial institutions, and an internet service provider. At the time, two other groups claiming to be responsible for the attack, 'New Roman Cyber Legion' and 'WhoIs Team', were unaware that the true mastermind was the Lazarus Group. Researchers now know that the Lazarus Group was the main perpetrator of these destructive attacks.

End of 2014: Sony Pictures was hacked

On November 24, 2014, the attacks by the Lazarus Group peaked. On that day, a post appeared on Reddit claiming that Sony Pictures had been compromised by unknown means, with the attackers calling themselves 'Guardians of Peace'. A large amount of data was stolen and gradually leaked over the following days. A person claiming to be a member of the organization stated in an interview that they had been stealing data from Sony for over a year.

Hackers gained access to unreleased movies, parts of movie scripts, future film plans, salary information of company executives, emails, and personal information of about 4,000 employees.

Early 2016 Investigation: 'Operation Bombshell'

Codenamed 'Operation Bombshell', an alliance of several security companies led by Novetta analyzed malware samples discovered in various cybersecurity incidents. Using this data, the team analyzed the hackers' methods. They linked the Lazarus Group to multiple attacks through code reuse patterns. For instance, they used a little-known encryption algorithm on the internet — the 'Caracas' encryption algorithm.

2016 Bank Cyber Theft Incident

In February 2016, a bank heist occurred. Security hackers issued 35 fraudulent instructions through the SWIFT network, attempting to illegally transfer nearly $1 billion from a certain country's central bank to an account at the New York Federal Reserve Bank. Of the 35 fraudulent instructions, 5 successfully transferred $101 million, with $20 million going to Sri Lanka and $81 million to the Philippines. The New York Federal Reserve Bank became suspicious due to a spelling error in one of the instructions, stopping the remaining 30 transactions, involving $850 million. Cybersecurity experts stated that the Lazarus Group from a certain country was behind this attack.

May 2017 'WannaCry' Ransomware Attack

'WannaCry' attack was a massive ransomware cyber attack that occurred on May 12, 2017, affecting numerous institutions globally, from the National Health Service (NHS) in the UK to Boeing and even some universities in China. This attack lasted for 7 hours and 19 minutes. Europol estimated that this attack affected nearly 200,000 computers in 150 countries, with the most affected regions including Russia, India, Ukraine, and Taiwan. This was one of the earliest encrypting worm attacks. Encrypting worms are a type of malware that can spread between computers over the network without user interaction — in this attack, it exploited TCP port 445. Computers could be infected by this virus without clicking on malicious links, as the malware could spread automatically, moving from one computer to connected printers and then to other computers connected to the wireless network. The vulnerability of port 445 allowed the malware to spread freely within internal networks, quickly infecting thousands of computers. The 'WannaCry' attack was one of the first large-scale attacks using encrypting worms.

Attack method: The virus exploited vulnerabilities in the Windows operating system, then encrypted computer data, demanding approximately $300 worth of Bitcoin for the decryption key. To incentivize victims to pay, the ransom doubled after three days, and if not paid within a week, the malicious software would delete the encrypted data files. The malware used a legitimate software developed by Microsoft called 'Windows Crypto' to encrypt files. After encryption, the filenames would have the 'Wincry' suffix, which is the origin of the name 'WannaCry'. 'Wincry' is the basis for encryption, but the malware also exploited two other vulnerabilities: 'EternalBlue' and 'DoublePulsar', making it an encrypting worm. 'EternalBlue' could automatically propagate the virus over the network, while 'DoublePulsar' triggered the virus to activate on the victim's computer. In other words, 'EternalBlue' spread the infected links to your computer, while 'DoublePulsar' clicked them for you.

Security researcher Marcus Hutchins discovered a 'kill switch' hard-coded into the virus sample he received from a friend at a security research company, which halted the attack. The malware regularly checked if a certain domain name was registered and would only continue encrypting if the domain did not exist. Hutchins discovered this check mechanism and subsequently registered the relevant domain at 3:03 PM UTC. The malware immediately stopped spreading and infecting new devices. This situation was quite intriguing and provided clues for tracking the virus's creator. Typically, stopping malware requires hackers and security experts to engage in a back-and-forth battle for months, so winning so easily was unexpected. Another unusual aspect of this attack was that files could not be recovered even after paying the ransom: hackers only received $160,000, leading many to believe their goal was not financial.

'Kill switch' being easily bypassed and the meager ransom earnings led many to believe this attack was state-sponsored; the motivation was not economic compensation but to create chaos. After the attack occurred, security experts traced the source of the 'DoublePulsar' vulnerability back to the U.S. National Security Agency, which was originally developed as a cyber weapon. Later, the hacker group 'Shadow Brokers' stole this vulnerability, initially attempting to auction it but failing, ultimately releasing it for free. The NSA subsequently informed Microsoft about this vulnerability, and Microsoft released an update on March 14, 2017, less than a month before the attack occurred. However, it was not enough; since the update was not mandatory, by May 12, most computers with the vulnerability remained unpatched, leading to astonishing damage from this attack.

Subsequent Impact: The U.S. Department of Justice and British authorities later determined that the 'WannaCry' attack was carried out by the North Korean hacker organization Lazarus Group.

2017 Cryptocurrency Attack Incident

In 2018, Recorded Future released a report stating that the Lazarus Group was linked to attacks targeting cryptocurrency users of Bitcoin and Monero, mainly focusing on South Korean users. These attacks were reported to be technically similar to previous attacks using 'WannaCry' ransomware and those targeting Sony Pictures. One of the techniques used by Lazarus Group hackers was exploiting vulnerabilities in the South Korean word processing software Hangul (developed by Hancom). Another method involved sending spear-phishing bait containing malware, targeting South Korean students and users of cryptocurrency exchanges like Coinlink.

If users open the malware, their email addresses and passwords will be stolen. Coinlink denies that its website or user email addresses and passwords were hacked. The report concluded: 'This series of attacks at the end of 2017 shows that a certain country’s interest in cryptocurrencies is growing, and we now know that this interest encompasses a wide range of activities including mining, ransomware attacks, and direct theft...' The report also noted that the country uses these cryptocurrency attacks to evade international financial sanctions.

In February 2017, hackers from a certain country stole $7 million from South Korea's cryptocurrency exchange Bithumb. Another South Korean Bitcoin exchange, Youbit, suffered an attack in April 2017 and later filed for bankruptcy in December after losing 17% of its assets. The Lazarus Group and hackers from a certain country were identified as the masterminds behind these attacks. In December 2017, the cryptocurrency cloud mining market Nicehash lost over 4,500 Bitcoins. An updated investigation showed that this attack was related to the Lazarus Group.

September 2019 Attack Incident

In mid-September 2019, the United States issued a public alert stating that a new type of malware called 'ElectricFish' had been discovered. Since early 2019, agents from a certain country have carried out 5 significant cyber thefts globally, including successfully stealing $49 million from an institution in Kuwait.

End of 2020 Pharmaceutical Company Attack Incident

Due to the ongoing COVID-19 pandemic, pharmaceutical companies became prime targets for the Lazarus Group. Members of the Lazarus Group used spear-phishing techniques, masquerading as health officials, to send malicious links to employees of pharmaceutical companies. It is believed that several large pharmaceutical companies were targeted, but so far only AstraZeneca, a joint venture between the UK and Sweden, has been confirmed. According to Reuters, many employees were targeted, many of whom were involved in the development of COVID-19 vaccines. It remains unclear what the Lazarus Group's motives for these attacks are, but they may include stealing sensitive information for profit, implementing extortion schemes, and allowing foreign regimes to obtain proprietary research related to COVID-19. AstraZeneca has not commented on the incident, and experts believe that there has been no sensitive data leak.

January 2021 attack incident against cybersecurity researchers

In January 2021, both Google and Microsoft publicly reported that a group of hackers from a certain country had launched attacks against cybersecurity researchers using social engineering tactics, with Microsoft explicitly stating that the attack was carried out by the Lazarus Group.

Hackers created multiple user profiles on platforms such as Twitter, GitHub, and LinkedIn, posing as legitimate software vulnerability researchers, interacting with posts and content published by others in the security research community. They then directly contacted specific security researchers under the pretext of cooperation, luring victims to download files containing malware or access blog posts on websites controlled by the hackers.

Some victims who accessed blog posts reported that although they were using a fully patched Google Chrome browser, their computers were still compromised, indicating that hackers may have exploited previously unknown Chrome zero-day vulnerabilities for the attack; however, Google stated at the time of the report that it was unable to determine the specific method of the intrusion.

March 2022 Axie Infinity Attack Incident

In March 2022, the Lazarus Group was accused of stealing $620 million worth of cryptocurrency from the Ronin network used in the Axie Infinity game. The FBI stated: 'Through investigation, we confirmed that the Lazarus Group and APT38 (linked to North Korean actors) were behind this theft.'

June 2022 Horizon Bridge Attack Incident

The FBI confirmed that the North Korean malicious cyber actor organization Lazarus Group (also known as APT38) was behind the $100 million virtual currency theft from Harmony's Horizon Bridge reported on June 24, 2022.

A report released by blockchain security platform Immunefi stated that the Lazarus Group caused losses exceeding $300 million in cryptocurrency hacks in 2023, accounting for 17.6% of the total losses that year.

June 2023 Atomic Wallet Attack: In June 2023, users of Atomic Wallet had over $100 million worth of cryptocurrency stolen, which was later confirmed by the FBI.

September 2023 Stake.com Hacker Attack Incident: In September 2023, the FBI confirmed that $41 million worth of cryptocurrency was stolen from the online casino and betting platform Stake.com, with the perpetrators being the Lazarus Group.

U.S. Sanctions

On April 14, 2022, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) added the Lazarus Group to the Specially Designated Nationals List (SDN List) under sanctions regulations of a certain country.

2024 Cryptocurrency Attack Incident

According to Indian media reports, a local cryptocurrency exchange named WazirX was attacked by the organization, with $234.9 million worth of cryptocurrency stolen.

Personnel Training

It is rumored that some North Korean hackers are sent to Shenyang, China for professional training to learn how to implant various malware into computers, computer networks, and servers. Within North Korea, Kim Chaek University of Technology, Kim Il Sung University, and Mangyongdae Revolutionary School are responsible for such education, selecting the best students from across the country for a six-year special education program. In addition to university education, 'some of the best programmers... are sent to Mangyongdae Revolutionary School or Mirim College for further studies.'

Organizational Branches

The Lazarus Group is believed to have two branches.

BlueNorOff

BlueNorOff (also known as APT38, 'Chollima', 'BeagleBoyz', 'NICKEL GLADSTONE') is an organization driven by economic interests, conducting illegal fund transfers through forged SWIFT instructions. Mandiant refers to it as APT38, while Crowdstrike calls it 'Chollima'.

According to a report from the U.S. Army in 2020, BlueNorOff has about 1,700 members focused on long-term assessments and exploitation of enemy network vulnerabilities and systems, engaging in financial cybercrime to obtain economic benefits for the regime or control relevant systems. Between 2014 and 2021, their targets included at least 16 institutions in 13 countries, including Bangladesh, Chile, India, Mexico, Pakistan, the Philippines, South Korea, Taiwan, Turkey, and Vietnam. It is believed that these illicit proceeds were used for the country's missile and nuclear technology development.

The most notorious attack by BlueNorOff was the 2016 bank theft incident, where they attempted to illegally transfer nearly $1 billion from a certain country's central bank to an account at the New York Federal Reserve Bank through the SWIFT network. After some transactions were successfully completed (with $20 million going to Sri Lanka and $81 million to the Philippines), the New York Federal Reserve Bank became suspicious due to a spelling error in one of the instructions, halting the remaining transactions.

Malware associated with BlueNorOff includes: 'DarkComet', 'Mimikatz', 'Nestegg', 'Macktruck', 'WannaCry', 'Whiteout', 'Quickcafe', 'Rawhide', 'Smoothride', 'TightVNC', 'Sorrybrute', 'Keylime', 'Snapshot', 'Mapmaker', 'net.exe', 'sysmon', 'Bootwreck', 'Cleantoad', 'Closeshave', 'Dyepack', 'Hermes', 'Twopence', 'Electricfish', 'Powerratankba', and 'Powerspritz'.

Common tactics used by BlueNorOff include: phishing, setting up backdoors, exploiting vulnerabilities, watering hole attacks, executing code on systems using outdated and insecure versions of Apache Struts 2, strategic website intrusions, and accessing Linux servers. There have been reports that they sometimes collaborate with criminal hackers.

AndAriel

AndAriel, also spelled Andarial, has aliases: Silent Chollima, Dark Seoul, Rifle, and Wassonite, logically characterized by targeting South Korea. The alias 'Silent Chollima' refers to the organization's secretive nature. Any institution in South Korea could potentially be a target for AndAriel, including government departments, defense agencies, and various economic entities.

According to a report from the U.S. Army in 2020, the AndAriel organization has approximately 1,600 members whose tasks include reconnaissance, assessing network vulnerabilities, and mapping enemy networks for potential attacks. Besides South Korea, they also target governments, infrastructures, and businesses in other countries. Attack methods include exploiting ActiveX controls, vulnerabilities in South Korean software, watering hole attacks, spear phishing (macro virus methods), targeting IT management products (such as antivirus and project management software), and attacking via supply chains (installers and updates). The malware they use includes Aryan, Gh0st RAT, Rifdoor, Phandoor, and Andarat.

In February 2021, the U.S. Department of Justice indicted three members of North Korea's military intelligence agency, the Reconnaissance General Bureau — Park Jin Hyok, Jon Chang Hyok, and Kim Il Park — accusing them of participating in multiple hacking activities of the Lazarus Group. Park Jin Hyok had already been indicted in September 2018. None of these suspects are currently in U.S. custody. Additionally, a Canadian and two Chinese individuals have also been accused of acting as money movers and money launderers for the Lazarus Group.