Lazarus Group (also known as 'Guardians' or 'Peace or Whois Team') is a hacker organization composed of an unknown number of individuals, allegedly controlled by the North Korean government.
Although limited information is available about the organization, researchers have attributed multiple cyber attacks to them since 2010.
The organization was originally a criminal gang, but it has now been recognized as an advanced persistent threat organization due to its attack intentions, the threats it poses, and the various means it uses during operations.
Cybersecurity agencies have given them several nicknames, such as 'Hidden Cobra' (a term used by the U.S. Department of Homeland Security to refer to malicious cyber activities initiated by the North Korean government), as well as 'ZINC' or 'Diamond Sleet' (Microsoft's term). According to defector Kim Kuk-song, the organization is referred to as '414 Liaison Office' within North Korea.
Lazarus Group has close ties to North Korea. The U.S. Department of Justice stated that the organization is part of the North Korean government's strategy, aimed at 'disrupting global cybersecurity... and obtaining illegal income in violation of sanctions.'
North Korea can gain many benefits from conducting cyber operations, requiring only a very lean team to constitute a 'global' asymmetric threat (especially against South Korea).
Development History.
The earliest known attack by this organization occurred during the 'Operation Troy' from 2009 to 2012. This was a cyber espionage activity that used relatively simple distributed denial-of-service (DDoS) techniques, targeting the South Korean government based in Seoul. They also launched attacks in 2011 and 2013.
Although it cannot be confirmed, a 2007 attack on South Korea may also have been carried out by them. A notable attack by the organization occurred in 2014, targeting Sony Pictures. This attack utilized more complex techniques and demonstrated that the organization became increasingly sophisticated over time.
Reportedly, in 2015, Lazarus Group stole $12 million from Ostro Bank in Ecuador and $1 million from VietinBank in Vietnam. They also targeted banks in Poland and Mexico.
In the 2016 bank heist, they attacked a certain bank and successfully stole $81 million, which is also believed to be the work of the organization.
In 2017, reports indicated that Lazarus Group stole $60 million from Far Eastern International Bank in Taiwan, though the actual amount stolen remains unclear, and most of the funds have been recovered.
It is currently unclear who the true mastermind behind the organization is, but media reports indicate that the organization is closely linked to North Korea.
In 2017, Kaspersky Lab reported that Lazarus Group tended to focus on espionage and infiltration-type cyber attacks, while a subgroup within it called 'Bluenoroff' specialized in financial cyber attacks. Kaspersky discovered numerous attack incidents globally and found that Bluenoroff had direct IP address associations with that country.
However, Kaspersky also acknowledged that the reuse of code could be a 'false flag operation' intended to mislead investigators and frame North Korea, as the global 'WannaCry' worm network attack was a copy of U.S. NSA's technology.
This ransomware exploited the 'EternalBlue' vulnerability from the U.S. National Security Agency, which was made public in April 2017 by a hacker group called 'Shadow Brokers'. In 2017, Symantec reported that the 'WannaCry' attack was highly likely attributed to Lazarus Group.
2009 'Operation Troy'.
The first major hacking incident of Lazarus Group occurred on July 4, 2009, marking the beginning of 'Operation Troy'. This attack used 'MyDoom' and 'Pushdo' malware to launch a large-scale but not very complex DDoS attack against websites in the U.S. and South Korea. This wave of attacks targeted about 36 websites and implanted the words 'Independence Day Commemoration' in the Master Boot Record (MBR).
2013 South Korea cyber attack ('Operation 1' / 'Dark Seoul' operation).
Over time, the organization's attack methods have become increasingly complex; their techniques and tools have also become more sophisticated and effective. The 'Ten-Day Rain' attack in March 2011 targeted South Korea's media, finance, and critical infrastructure, employing more sophisticated DDoS attacks, which originated from compromised computers within South Korea. On March 20, 2013, the 'Dark Seoul' operation was launched, a data-wiping attack aimed at three broadcasting companies, financial institutions, and an internet service provider in South Korea. At that time, two other organizations claiming to be responsible for the attack, 'New Roman Cyber Legion' and 'WhoIs Team', were not known to be associated with Lazarus Group. Researchers now understand that Lazarus Group was the mastermind behind these destructive attacks.
End of 2014: Sony Pictures was hacked.
On November 24, 2014, the attack by Lazarus Group peaked. On that day, a post appeared on Reddit claiming that Sony Pictures had been hacked by unknown means, with the attackers calling themselves 'Guardians of Peace'. A large amount of data was stolen and gradually leaked in the days following the attack. A person claiming to be a member of the organization stated in an interview that they had been stealing data from Sony for over a year.
Hackers accessed unreleased movies, some movie scripts, future film plans, salary information of company executives, emails, and personal information of about 4,000 employees.
Early 2016 Investigation: 'Operation Bombshell'.
Codenamed 'Operation Bombshell', a coalition of several security companies led by Novetta analyzed malware samples found in different cybersecurity incidents. Using this data, the team analyzed the hacking methods. They linked Lazarus Group to multiple attacks through code reuse patterns. For example, they utilized a little-known encryption algorithm known as the 'Caracas' cipher.
2016 bank cyberheist.
In February 2016, a bank heist occurred. Security hackers issued 35 fraudulent instructions through the SWIFT network, attempting to illegally transfer nearly $1 billion from a certain central bank's account at the New York Federal Reserve Bank. Of the 35 fraudulent instructions, 5 successfully transferred $101 million, with $20 million going to Sri Lanka and $81 million to the Philippines. The New York Federal Reserve Bank raised suspicions due to a spelling error in one instruction, blocking the remaining 30 transactions, which involved $850 million. Cybersecurity experts indicated that the mastermind behind this attack was Lazarus Group from a certain country.
May 2017 'WannaCry' ransomware attack.
'WannaCry' attack was a large-scale ransomware cyber attack that occurred on May 12, 2017, affecting numerous institutions worldwide, from the UK's National Health Service (NHS) to Boeing, and even some universities in China. The attack lasted for 7 hours and 19 minutes. Europol estimated that the attack affected nearly 200,000 computers in 150 countries, with the most affected regions including Russia, India, Ukraine, and Taiwan. This is one of the earliest attacks using cryptoworms.
Cryptoworms are a type of malware that can spread between computers over the network without direct user action to infect — in this attack, it exploited TCP port 445. Computers infected with the virus do not need to click on malicious links; the malware can spread automatically from one computer to connected printers and then to other computers connected to the same wireless network. The vulnerability in port 445 allows malware to spread freely within internal networks, quickly infecting thousands of computers. The 'WannaCry' attack was one of the first large-scale attacks using cryptoworms.
Attack method: The virus exploited vulnerabilities in the Windows operating system, encrypting computer data and demanding a ransom of about $300 worth of Bitcoin to obtain the decryption key. To encourage victims to pay, the ransom doubled after three days, and if not paid within a week, the malware would delete the encrypted data files.
The malware used a legitimate software developed by Microsoft called 'Windows Crypto' to encrypt files. After encryption, file names were suffixed with 'Wincry', which is the origin of the name 'WannaCry'. 'Wincry' is the basis for the encryption, but the malware also exploited two other vulnerabilities, 'EternalBlue' and 'DoublePulsar', making it a cryptoworm.
'EternalBlue' can automatically spread the virus over the network, while 'DoublePulsar' triggers the virus to activate on the victim's computer. In other words, 'EternalBlue' spreads the infected link to your computer, and 'DoublePulsar' clicks it for you.
Security researcher Marcus Hutchins received a sample of the virus from a friend at a security research company and discovered that the virus had hardcoded an 'antivirus switch' that terminated the attack. The malware periodically checked whether a specific domain name had been registered and would only continue encryption operations if that domain did not exist.
Hutchins discovered this check mechanism and subsequently registered the relevant domain name at 3:03 PM Coordinated Universal Time. The malware immediately stopped spreading and infecting new devices. This situation is quite intriguing and provided clues for tracking down the virus creators. Typically, stopping malware requires a back-and-forth battle between hackers and security experts for months, making such an easy victory unexpected. Another unusual aspect of this attack is that after paying the ransom, the files could not be recovered: the hackers only received $160,000 in ransom, leading many to believe that their goal was not monetary.
'Antivirus switch' was easily cracked and the ransom profits were meager, leading many to believe that this attack was state-sponsored; its motives were not economic compensation, but rather to create chaos. After the attack occurred, security experts traced and discovered that the 'DoublePulsar' vulnerability originated from the U.S. National Security Agency, which was initially developed as a cyber weapon.
Later, the 'Shadow Brokers' hacker group stole this vulnerability, initially trying to auction it but failing, and then simply released it for free. The U.S. National Security Agency subsequently informed Microsoft of this vulnerability, and Microsoft released an update on March 14, 2017, less than a month before the attack occurred. However, this was not enough; since the update was not mandatory, by May 12, most computers with the vulnerability had not been patched, resulting in devastating impacts from this attack.
Subsequent Impact: The U.S. Department of Justice and British authorities later determined that the 'WannaCry' attack was carried out by the North Korean hacker group Lazarus Group.
2017 cryptocurrency attack incident.
In 2018, Recorded Future released a report stating that Lazarus Group was associated with attacks on cryptocurrency users of Bitcoin and Monero, primarily targeting South Korean users. Reportedly, these attacks were technically similar to previous attacks using 'WannaCry' ransomware and the attacks on Sony Pictures.
One of the methods used by Lazarus Group hackers was to exploit vulnerabilities in Hangul, a word processing software developed by Hancom. Another method was to send spear phishing bait containing malware, targeting South Korean students and users of cryptocurrency exchanges like Coinlink.
If users open the malware, their email addresses and passwords will be stolen. Coinlink denies that its website or users' email addresses and passwords were hacked.
The report concluded: 'This series of attacks at the end of 2017 indicates that a certain country has an increasing interest in cryptocurrency. Today, we know this interest encompasses a wide range of activities including mining, ransomware attacks, and direct theft...'. The report also noted that this country utilizes these cryptocurrency attacks to evade international financial sanctions.
In February 2017, hackers from a certain country stole $7 million from the South Korean cryptocurrency exchange Bithumb. Another South Korean Bitcoin exchange, Youbit, suffered an attack in April 2017, and in December of the same year, it went bankrupt after 17% of its assets were stolen.
Lazarus Group and certain country hackers have been identified as the masterminds behind these attacks. In December 2017, the cryptocurrency cloud mining market Nicehash lost over 4,500 bitcoins. An updated investigation indicated that this attack was related to Lazarus Group.
September 2019 attack incident.
In mid-September 2019, the U.S. issued a public warning about a new type of malware named 'ElectricFish'. Since early 2019, agents from a certain country have carried out five significant cyber thefts globally, including successfully stealing $49 million from an institution in Kuwait.
End of 2020 pharmaceutical company attack incident.
Due to the ongoing COVID-19 pandemic, pharmaceutical companies became prime targets for Lazarus Group. Members of Lazarus Group utilized spear-phishing techniques, masquerading as health officials and sending malicious links to employees of pharmaceutical companies. It is believed that several major pharmaceutical companies were targeted, but currently, only AstraZeneca, a joint venture between the UK and Switzerland, has been confirmed.
According to Reuters, many employees became targets of the attack, many of whom were involved in COVID-19 vaccine research. It remains unclear what the purpose of Lazarus Group's attacks was, but it could include stealing sensitive information for profit, implementing extortion schemes, and enabling foreign regimes to acquire proprietary research related to the coronavirus. AstraZeneca has not commented on the incident, and experts believe that there has been no sensitive data leak at this time.
January 2021 attack incident targeting cybersecurity researchers.
In January 2021, both Google and Microsoft publicly reported that a group of hackers from a certain country had launched attacks against cybersecurity researchers using social engineering techniques, with Microsoft explicitly stating that the attack was carried out by Lazarus Group.
Hackers created multiple user profiles on platforms like Twitter, GitHub, and LinkedIn, posing as legitimate software vulnerability researchers, interacting with posts and content released by others in the security research community. They would then directly contact specific security researchers under the guise of collaborative research, luring victims to download files containing malware or access blog articles on websites controlled by hackers.
Some victims who accessed the blog posts reported that even though they were using the fully patched Google Chrome browser, their computers were still compromised, indicating that hackers might have exploited previously unknown Chrome zero-day vulnerabilities; however, Google stated at the time of the report that it could not determine the exact method of the breach.
March 2022 Axie Infinity attack incident.
In March 2022, Lazarus Group was accused of stealing $620 million worth of cryptocurrency from the Ronin network used by the Axie Infinity game. The FBI stated: 'Through investigation, we confirm that Lazarus Group and APT 38 (network actors associated with North Korea) are the masterminds behind this theft.'
June 2022 Horizon Bridge attack incident.
The FBI confirmed that the North Korean malicious cyber actor group Lazarus Group (also known as APT 38) was the mastermind behind the June 24, 2022, incident involving the theft of $100 million in virtual currency from Harmony's Horizon Bridge.
Other related cryptocurrency attack incidents in 2023.
A report from the blockchain security platform Immunefi indicated that in 2023, Lazarus Group was responsible for cryptocurrency hacking incidents that resulted in losses exceeding $300 million, accounting for 17.6% of the total losses that year.
June 2023 Atomic Wallet attack incident: In June 2023, users of the Atomic Wallet service had over $100 million worth of cryptocurrency stolen, and the FBI subsequently confirmed this incident.
September 2023 Stake.com hacking incident: In September 2023, the FBI confirmed that $41 million worth of cryptocurrency was stolen from the online casino and betting platform Stake.com, with the perpetrators being Lazarus Group.
U.S. sanctions measures.
On April 14, 2022, the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) placed Lazarus Group on the Specially Designated Nationals (SDN) list under the country's sanctions regulations.
2024 cryptocurrency attack incident.
According to Indian media reports, a local cryptocurrency exchange named WazirX was attacked by this organization, resulting in the theft of $234.9 million in cryptocurrency.
Personnel training.
It is rumored that some North Korean hackers are sent to Shenyang, China for professional training to learn how to implant various types of malware into computers, computer networks, and servers. Internally in North Korea, Kim Il Sung University, Kim Chaek University of Technology, and Wonsan University take on the educational tasks related to this, selecting the best students nationwide for six years of specialized education. In addition to university education, 'some of the best programmers... are sent to Wonsan University or Mirim College for further study.'
Organizational branches.
Lazarus Group is believed to have two branches.
BlueNorOff.
BlueNorOff (also known as APT 38, 'Star Chollima', 'BeagleBoyz', 'NICKEL GLADSTONE') is an organization driven by economic interests, conducting illegal fund transfers through forged SWIFT instructions. Mandiant refers to it as APT 38, while Crowdstrike calls it 'Star Chollima'.
According to a report by the U.S. Army in 2020, BlueNorOff has about 1,700 members focused on long-term assessment and exploitation of enemy network vulnerabilities and systems, engaging in financial cybercrime to obtain economic benefits or control related systems for their country's regime. Between 2014 and 2021, their targets included at least 16 institutions across 13 countries, including Bangladesh, Chile, India, Mexico, Pakistan, the Philippines, South Korea, Taiwan, Turkey, and Vietnam. It is believed that these illegal proceeds were used for the development of missile and nuclear technology in that country.
BlueNorOff's most notorious attack was the 2016 bank heist, where they attempted to illegally transfer nearly $1 billion from a certain central bank's account at the New York Federal Reserve Bank through the SWIFT network. After some transactions were successfully completed ($20 million went to Sri Lanka, and $81 million to the Philippines), the New York Federal Reserve Bank raised suspicions due to a spelling error in one instruction, blocking the remaining transactions.
Malware associated with BlueNorOff includes: 'DarkComet', 'Mimikatz', 'Nestegg', 'Macktruck', 'WannaCry', 'Whiteout', 'Quickcafe', 'Rawhide', 'Smoothride', 'TightVNC', 'Sorrybrute', 'Keylime', 'Snapshot', 'Mapmaker', 'net.exe', 'sysmon', 'Bootwreck', 'Cleantoad', 'Closeshave', 'Dyepack', 'Hermes', 'Twopence', 'Electricfish', 'Powerratankba', and 'Powerspritz'.
Common tactics used by BlueNorOff include: phishing, setting up backdoors, exploiting vulnerabilities, watering hole attacks, executing code on systems using outdated and insecure versions of Apache Struts 2, strategically infiltrating websites, and accessing Linux servers. Reports indicate that they sometimes collaborate with criminal hackers.
AndAriel.
AndAriel, also spelled Andarial, is also known as Silent Chollima, Dark Seoul, Rifle, and Wassonite, logically characterized by targeting South Korea. The nickname 'Silent Chollima' refers to the organization's secretive nature. Any institution in South Korea could be targeted by AndAriel, including government departments, defense agencies, and various economic landmark entities.
According to a report by the U.S. Army in 2020, the AndAriel organization has about 1,600 members whose mission is to conduct reconnaissance, assess network vulnerabilities, and map enemy networks for potential attacks. In addition to South Korea, they also list other countries' governments, infrastructures, and enterprises as attack targets. Attack methods include exploiting ActiveX controls, South Korean software vulnerabilities, watering hole attacks, spear phishing (macro virus methods), targeting IT management products (such as antivirus software and project management software), and launching attacks through supply chains (installers and update programs). The malware used includes Aryan, Ghost RAT, Rifdoor, Phandoor, and Andarat.
Prosecution status of related individuals.
In February 2021, the U.S. Department of Justice indicted three members of the North Korean military intelligence agency Reconnaissance General Bureau — Park Jin Hyok, Jon Chang Hyok, and Kim Il Park, accusing them of involvement in multiple hacking activities by Lazarus Group. Park Jin Hyok was already indicted in September 2018. These suspects are currently not in U.S. custody. Additionally, a Canadian and two Chinese individuals were also accused of acting as fund transporters and money launderers for Lazarus Group.