We believe they started this watering hole campaign at the end of 2016 after their other operation was interrupted in South East Asia.
#Lazarus group code#
Lazarus managed to inject malicious code in many other locations.
The watering hole attack on Polish banks was very well covered by media, however not everyone knows that it was one of many. We believe that Lazarus Group is very large and works mainly on infiltration and espionage operations, while a substantially smaller units within the group, which we have dubbed Bluenoroff, is responsible for financial profit. Their interest in financial gain is relatively new, considering the age of the group, and it seems that they have a different set of people working on the problems of invisible money theft or the generation of illegal profit. Lazarus was previously known to conduct cyberespionage and cybersabotage activities, such as attacks on Sony Pictures Entertainment with volumes of internal data leaked, and many system harddrives in the company wiped. We have seen the detection of their infiltration tools in multiple countries in the past year.
Lazarus attacks are not a local problem and clearly the group’s operations span across the whole world.
#Lazarus group software#
With cooperation and support from our research partners, we have managed to address many important questions about the mystery of Lazarus attacks, such as their infiltration method, their relation to attacks on SWIFT software and, most importantly, shed some light on attribution. We have had the privilege of investigating these attacks and helping with incident response at a number of financial institutions in South East Asia and Europe. This is the first time we announce some Lazarus Group operations that have thus far gone unreported to the public. We would like to add some strong facts that link some attacks on banks to Lazarus, and share some of our own findings as well as shed some light on the recent TTPs used by the attacker, including some yet unpublished details from the attack in Europe in 2017. Considering that the afterhack publications by the media mentioned that the investigation stumbled upon three different attackers, it was not obvious whether Lazarus was the one responsible for the fraudulent SWIFT transactions, or if Lazarus had in fact developed its own malware to attack banks’ systems. However, while almost everybody in the security industry has heard about the attack, few technical details have been revealed to the public based on the investigation that took place on site at the attacked company. The only case where specific malware targeting the bank’s infrastructure used to connect to SWIFT messaging server was discovered, is the Bangladesh Central Bank case. While all these facts are fascinating, the connection between Lazarus attacks on banks, and their role in attacks on banks’ systems, was still loose. However, from this it’s only clear that Lazarus might have attacked Polish banks. Symantec also confirmed seeing the Lazarus wiper tool in Poland at one of their customers. Other claims that Lazarus was the group behind attacks on the Polish financial sector, came from Symantec in 2017, which noticed string reuse in malware at one of their Polish customers.
This similarity was found to be satisfying to many readers, however at Kaspersky Lab, we were looking for a stronger connection. This was followed by another blogpost by Anomali Labs, confirming the same wiping code similarity. One such publication was made available by BAE systems in May 2016, however it only included analysis of the wiper code. Since the Bangladesh incident there have been just a few articles explaining the connection between Lazarus Group and the Bangladesh bank heist. Today we’d like to share some of our findings, and add something new to what’s currently common knowledge about Lazarus Group activities, and their connection to the much talked about February 2016 incident, when an unknown attacker attempted to steal up to $851M USD from Bangladesh Central Bank. While the original article didn’t mention Lazarus Group it was quickly picked up by security researchers. In February 2017 an article in the Polish media broke the silence on a long-running story about attacks on banks, allegedly related to the notoriously known Lazarus Group.
0 kommentar(er)
