A report published this week by cybersecurity researchers establishes some of the strongest links yet between the mysterious hacker collective Lazarus Group and North Korea's Reconnaissance General Bureau (RGB), the military unit responsible for peacetime cyberattacks and espionage against enemies.
Cybersecurity company Group-IB published the findings in its report, Lazarus Arisen: Architecture / Tools / Attribution. The report details Lazarus Group's cyber tactics, techniques and procedures (TTPs), including the "complex botnet" it uses for command and control (C&C) infrastructure and the extensive "multi-modal" toolset it uses to conduct cyberattacks.
Lazarus Group "demonstrated a flexible approach to attacks by applying different hacking tools, which prevented their detection by endpoint security solutions," the researchers wrote. The hackers also pulled off "several successful attacks without employing 0-day exploits."
Cybersecurity researchers have studied the mysterious Lazarus Group for years. Much evidence pointed to a close association between Lazarus Group and the North Korean military. Still, many stopped short of claiming a direct link or attributing Lazarus hacks to North Korea's military. Yet, the evidence to support these conclusions continues to mount.
In the 53-page report, Group-IB researchers said they broadened their investigation from just Lazarus Group's malware code. Threat actors can reuse source code, the researchers noted, which often prevents conclusive attribution. Group-IB's research included a "broad range of data, both technical and strategic, which places clear attribution on North Korea," the report said.
Based on a detailed study of attack infrastructure, Group-IB traced the origin of Lazarus Group's cyberattacks through a three-tiered C&C architecture to two North Korean internet protocol (IP) addresses: 210.52.109.22 and 175.45.178.222.
"The second IP address relates to Potonggang District, perhaps coincidentally, where National Defence Commission is located — the highest military body in North Korea," the report notes.
The researchers found additional links while revisiting past cyberattacks believed to have originated in North Korea. Group-IB's investigation turned up a 2016 South Korean Arirang TV Agency report, in which the researchers noticed two IP addresses (175.45.178.19 and 175.45.178.97) in the background on a news graphic.
The two IP addresses were associated with the Ghost Remote Access Trojan (RAT). Both the IP addresses associated with the Ghost RAT fell within the same range as one of the IP addresses (175.45.178.222) that Group-IB researchers linked to Lazarus Group cyberattacks that have occurred since March 2016. The Ghost RAT is believed to be controlled by the Dark Seoul cyber operation. The Dark Seoul operation is believed to be controlled by Bureau 121, within North Korea's RGB.
Lazarus Groups Adaptive TTPs to Mislead Cybersecurity Researchers
Group-IB's report describes how Lazarus Group has tried to confuse cybersecurity researchers. Lazarus Group changed its TTPs in March 2016, just after a successful $81 million cyber heist from the Bangladesh Central Bank. The Bangladesh cyberattack has been widely attributed to Lazarus Group.
The hackers adapted TTPs partly by expanding their C&C infrastructure across IP addresses of universities in the U.S., Canada, Great Britain, India, Bulgaria, Poland and Turkey. The hackers also extended the massive botnet by capturing compromised computers in pharmaceutical companies in China and Japan, in addition to government subnets in various countries.
About the same time, also in March 2016, the Lazarus Group began to impersonate Russian hackers, Group-IB researchers said. TTPs designed to throw off cyber investigators included the use of "specific debugging symbols and strings containing Russian words," the report said. Lazarus hackers also began using a commercial product called Enigma Protector, which was developed by a Russian software programmer. Finally, Lazarus used Flash and Silverlight exploits created by Russian-speaking hackers.
"These masquerade techniques did initially mislead some researchers who conducted express analysis of malicious code," Group-IB researchers wrote.
Lazarus Group C&C Infrastructure Detailed
Lazarus Group's C&C infrastructure consists of a three-tier architecture that uses Secure Sockets Layer (SSL) encrypted channels between servers and victim systems to conceal communications and commands. The hackers also encrypt the actual data — the content — of its communications to evade detection by security solutions that "unpack" encrypted network traffic, the researchers said.
To remain anonymous, Lazarus Group used SoftEther, a virtual private network (VPN) supported by the University of Tsukuba in Japan. A legitimate and trusted tool in some organizations, SoftEther raised no flags with enterprise security solutions, thereby allowing the hackers to remain undetected.
SoftEther provided additional features that helped hackers to avoid detection, such as the use of Internet Control Message Protocol (ICMP) and the Domain Name System (DNS) protocol, both of which are usually allowed as legitimate network traffic by enterprise security solutions. Computers and servers running Windows, Linux, FreeBSD, Solaris and MacOS X support SoftEther, providing the hackers wide latitude for the VPN's use.
Group-IB's report documents in detail Lazarus Group's use of a custom toolset to operate and manage the C&C infrastructure, including:
- Server_RAT to manage Windows-based server infrastructure;
- Server_TrafficForwarder to forward traffic from one external server to another;
- Backend_Listener to establish connection with servers with installed Server_RAT and to get commands directly from hackers;
- Admin_Tool to send commands through the layered C&C infrastructure to infected computers; and
- SWIFT Toolbox, which consists of SWIFT Alliance software Hook Files and SWIFT transactions Information Harvester.
Lazarus Groups Attack Tools Detailed
Group-IB noted that Lazarus Group has increasingly turned its sights to financial targets, with the goal of profiting from its cyberattacks. Some have speculated that additional financial and economic sanctions, resulting from North Korea's increased missile test fires, have necessitated this shift in motive and operations.
Many Lazarus Group exploits over the past year began with so-called watering-hole attacks, wherein hackers compromise a website the hackers' targeted victims are likely to visit. Group-IB researchers identified three primary domains — all financial or financial regulatory institutions — that were compromised and used as watering holes.
"Hackers infected only those users who visited the website from a computer within the specified IP range," researchers noted.
The hackers gained access to victim organizations using known vulnerabilities in JBoss and Liferay, Group-IB said. They also created an exploit for Silverlight CVE-2016-0034 (MS 16-006) and a separate one for Adobe Flash. Before Lazarus Group's use, the Silverlight and Flash exploits had been incorporated into the popular exploit kits Angler, Neutrino and RIG.
As with other sophisticated threat actors, the exploit via watering hole is just the first step in a multi-step hack. Lazarus Group uses a custom tool to support each subsequent step, as Group-IB identified:
- Recon Performs initial recon to determine if compromised systems are of interest;
- Dropper Extracts and decrypts the Loader;
- Loader Decrypts the payload Client_RAT or Client_TrafficForwarder and injects into a legitimate operating system process;
- Client_TrafficForwarder Forwards commands from external network into corporate network; and
- Client_RAT Provides full control of target system.
Group-IB's report provides extensive documentation on each of these tools and indicators of compromise.
Is Lazarus on the Edge of the Abyss?
The Group-IB report is the latest in a series of research findings published on North Korean cyber operations. These revelations coincide with North Korean leader Kim Jong Un's increasingly erratic behavior and aggressive provocations, including repeated missile test fires.
But the Hermit Kingdom's days as a kinetic and cyber provocateur may be numbered. On May 27, VOA News reported that the U.S. Navy planned to deploy a third carrier group, the USS Nimitz, from Bremerton, Wash., to the Western Pacific on June 1. The Pentagon has since characterized the development as "routine."
But George Friedman, founder of Geopolitical Futures, wrote in May 29 blog post that, "The United States is preparing for war … The signs are all there. The United States does not deploy the force it has deployed unless it's serious."
Knowing that conventional military action will be met with intense cyberattacks from North Korea, the U.S. Department of Defense has tasked a cyber protection team to the Terminal High Altitude Area Defense, or THAAD, battery deployed to the Korean Peninsula, Fifth Domain has reported.
Given recent developments and the current geostrategic calculus, Friedman said war is still weeks away — if it happens at all. Friedman predicted that efforts to reach a diplomatic solution will intensify in the meantime. "Still," Friedman wrote, "you have to consider that North Korea is staring down into the abyss."
