New evidence linking hacking group Lazarus to North Korea - and the $81m Bangladesh Bank heist
North Korea probably not behind WannaCry ransomware, but almost certainly behind Bangladesh Bank and other financial institution cyber frauds
Lazarus Group used to spy on opponents worldwide of the North Korean regime, but now targets banks and financial institutions in a bid to steal millions of dollars. That is the claim of a new report from Russian security software and services firm Group-IB, which has linked the group to the $81m Bangladesh Bank cyber heist last year.
It has traced the group to the Potonggang district of Pyongyang and the unfinished 105-storey Ryugyong Hotel, both facilities where foreigners are barred. Ultimately, it claims, Lazarus is controlled out of the Bureau 121 government agency, a division of the Reconnaissance General Bureau, a North Korean intelligence agency.
Bureau 121 is responsible for conducting military cyber campaigns, claims Group-IB.
"Lazarus is known to have specialized in DDoS attacks and corporate breaches targeting government, military, and aerospace institutions worldwide. Now that global economic pressure on North Korea has increased, Lazarus has shifted their focus to international financial organizations to conduct money thefts and espionage," claims the report.
An examination of four waves of cyber attacks attributed to Lazarus has firmed up the evidence linking the group to the North Korean government, suggests Group-IB.
These attacks include the ‘Troy' cyber espionage campaign against South Korea between 2009 and 2012, which included hacking websites and distributed denial of service (DDoS) attacks; the DarkSoul operation in March 2013 that targeted three broadcasters and a bank, all in South Korea; the attack on Sony pictures in 2014 in response to the release of the film ‘The Interview'; and, the attack on Bangladesh Bank last year, which could have resulted in $951m in fraudulent payments being made.
Earlier this year, too, several Polish bank was targeted in a similar way. Sanctions against North Korea in response have included the disconnection of the country's bank from SWIFT.
"Group-IB specialists have researched this group and now have evidence which identifies that North Korea is behind these attacks: We have detected and thoroughly analyzed multiple layers of command and control (C&C) infrastructure used by Lazarus and have identified North Korean IP addresses from which the attacks were ultimately controlled," claim Group-IB.
The group used a sophisticated, three-layer C&C infrastructure, with complex multi-stage deployment techniques just for the SWIFT attacks alone. The two IP addresses at the top of the C&C infrastructure were found to 210.52.109.22, assigned to China Netcom, but believed to have been assigned to North Korea at the time of the attacks.
The other, 175.45.178.222, "refers to a North Korean Internet service provider. The Whois service indicates that this address is allocated to the Potonggang District, perhaps coincidentally, where the National Defence Commission is located — the highest military body in North Korea".
Given the difficulty of acquiring North Korean IP addresses, especially ones that can be traced to the same buildings used by the National Defence Commission, Group-IB believes that the identity of Lazarus Group is pretty much solved.
Lazarus was also linked with the WannaCry ransomware outbreak last month by Symantec. However, other specialists have debunked the claims, suggesting that the amateurish nature of the WannaCry malware was out of character with Lazarus. A linguistic analysis of the ransom notes has, instead, pointed the finger at hackers based in China.