FBI Statement on Attribution of Malicious Cyber Activity Posed by the Democratic People’s Republic of Korea
FBI Statement on Attribution of Malicious Cyber Activity Posed by the Democratic People’s Republic of Korea
Washington, D.C. | FBI National Press Office | (202) 324–3691
April 14, 2022
The FBI continues to combat malicious cyber activity including the threat posed by the Democratic People’s Republic of Korea to the U.S. and our private sector partners. Through our investigation we were able to confirm Lazarus Group and APT38, cyber actors associated with the DPRK, are responsible for the theft of $620 million in Ethereum reported on March 29. The FBI, in coordination with Treasury and other U.S. government partners, will continue to expose and combat the DPRK’s use of illicit activities — including cybercrime and cryptocurrency theft — to generate revenue for the regime. (Ref: FBI Press Release)
APT Profile: Who is Lazarus Group?
By SOCRADAR.IO
The Lazarus Group (also known as Guardians of Peace or Whois Team) is a cybercrime organization with an unknown number of members. Although little is known about the Lazarus Group, experts have linked them to a number of cyberattacks between 2010 and 2021.
Lazarus Group 101
Due to the intended nature, threat, and wide range of tactics employed when conducting an operation, the Lazarus Group has been recognized as an advanced persistent threat. HIDDEN COBRA and Zinc are two names given by cybersecurity groups.
The names Lazarus Group and North Korean group definitions are known to overlap significantly, and the moniker Lazarus Group is known to cover a wide range of activities. Some organizations prefer any activity related to North Korea as the Lazarus Group.
Some organizations track North Korean clusters or groups like Bluenoroff, APT37, and APT38 independently, while others use the moniker Lazarus Group to track some of the activity linked with those names.
Targets of Lazarus’ Relentless Attacks
The 2014 attack on Sony Pictures is one of the group’s most well-known attacks. The Sony attack used more complex techniques, demonstrating how much the gang has progressed over time.
In 2015, the Lazarus Group was accused of stealing $12 million from Ecuador’s Banco del Austro and $1 million from Vietnam’s Tien Phong Bank. Banks in Poland and Mexico have also been attacked. The organization was blamed for a bank heist in 2016 that resulted in the theft of US$81 million from the Bangladesh Bank.
The Lazarus organization was accused of stealing US$60 million from Taiwan’s Far Eastern International Bank in 2017, while the exact amount stolen was unknown, and the majority of the funds were recovered.
The Lazarus Group was linked to attacks against cryptocurrencies Bitcoin and Monero users in South Korea, according to a study released by Insikt Group in 2018. These attacks are said to be similar in nature to earlier WannaCry ransomware operations and Sony Pictures breaches.
In late 2020, pharmaceutical businesses have become key targets for the Lazarus Group as a result of the ongoing COVID-19 pandemic. Lazarus Group members pretended to be health officials and sent harmful links to pharmaceutical business personnel using spear-phishing techniques. Multiple big pharmaceutical companies are suspected of being targeted, although only the Anglo-Swedish-owned AstraZeneca has been confirmed.
Recent Significant TTPs of Lazarus Group
To boost the effectiveness of its attacks, Lazarus is known to deploy novel methodologies and specialized toolkits. On April 13, a malicious document used by this actor to target South Korea was detected. To drop its Loader in this campaign, Lazarus used an unusual approach of BMP files laced with malicious HTA objects.
How to Prepare for Lazarus APT Attacks
APTs are very sophisticated, well-sponsored attacks, often targeted at an organization’s most valuable digital assets. Because of the wide capabilities of advanced threat actors, APTs are much more challenging to detect and prevent than traditional security threats.
As such, advanced threats require security leaders to rethink their perspective on operations. CISOs can build more proactive capabilities and reorganize the security function to defend themselves against advanced threats. We recommend three steps CISOs can take to better prepare for APTs targeting their organizations.
- Actionable Threat Intelligence is the Key
Most CTI programs fail because they only rely on threat feeds without sufficient context. Putting actionable threat intelligence with a wide range of attack surface visibility capabilities will keep you one step ahead.
To build successful cyber threat intelligence programs, CISOs should begin with gaining visibility into the evolving attack surface including cloud infrastructure. The quality of the data is much more important than the quantity so make sure you monitor relevant Surface, Deep, and Dark Web sources.
2. Focus on Identifying Internet-Facing Blindspots
Most of today’s cybersecurity tools focus on traditional threats and seek to be comprehensive. This makes them poorly suited to planning defenses against the APT attacks used. Security leaders need to align controls to a threat-centric framework, such as the cyber kill chain so that they can more easily identify blind spots that can be exploited by bad actors.
3. Develop an Early Warning Strategy to Detect External Threats
Extend your perspective from reactive approach to proactive approach. To build an effective security strategy, security teams must integrate a new set of capabilities — external vulnerability intelligence, extensive identity intelligence, brand protection, Human Intelligence (HUMINT), and targeted deep/dark web intelligence to prevent future cyber attacks. (Ref: https://socradar.io/apt-profile-who-is-lazarus-group/)
Comments
Post a Comment