NORK spy agency blamed for Bangladesh cyberheist, Sony Pictures hack

Group-IB IDs Lazarus Group

A fresh analysis, from a slightly different perspective, once again fingered North Korea as the likely culprit behind hacks against Sony Pictures and the $81m heist from an account held by the Central Bank of Bangladesh.

Moscow-based threat intelligence firm Group-IB has "no doubt" that Lazarus Group – a cybergang that launched raids against the Central Bank of Bangladesh and compromised a number of Polish banks – is connected to North Korea. Group-IB analysts reached their conclusion after running a deep analysis of the cybercriminals’ command & control infrastructure and reviewing other threat intelligence information.

Western intel agencies and private cybersecurity firms also point to North Korea as prime suspects in the same series of attacks. Group-IB said its research is different from previous work, which was focused on either malware analysis or the attribution based on malware analysis. Instead, Group-IB argues that infrastructure research is more reliable. Group-IB goes much further than others in naming the specific North Korean agency involved, saying in a blog post:

[Group-IB’s] experts conducted an in-depth investigation of Lazarus activity and gained unique insight into their complex botnet infrastructure built by the hacker group to conduct their attacks. Despite the complex three-layer architecture, encrypted channels, VPN services and other advanced techniques, the researchers managed to identify that the group was operating from Potonggang District, North Korea. Perhaps coincidentally, where National Defence Commission was located – previously the highest military body in North Korea.

The Lazarus is allegedly controlled by Bureau 121, a division of the Reconnaissance General Bureau, a North Korean intelligence agency.

Lazarus (also known as Dark Seoul Gang) first came to notice after running various distributed denial of service (DDoS) and hack attacks against government, military and aerospace institutions worldwide.

The earliest known attack linked to the group, the "Troy Operation," took place between 2009 and 2012, and involved unsophisticated DDoS attacks against South Korean government targets.

By 2014, the Lazarus crew made its bones with the launch of a much more sophisticated attack against Sony Pictures. The hack involved the theft of personal information about the employees and their families, internal emails, copies of then-unreleased Sony films, as well as other information. Extracts of the data were subsequently leaked.

The pressure increases

As the global economic pressure on North Korea increased, Lazarus shifted its focus to international financial organisations for financial and espionage gains, according to Group-IB. In 2016, the group attempted to steal about $95m from the Central Bank of Bangladesh SWIFT. A mistake in a payment request led to the detection of the fraud and limited the damage to a still colossal $81m.

Dmitry Volkov, head of the threat intelligence department and сofounder of Group-IB, commented: “Our research testified that North Korean Lazarus Group is taking extraordinary precaution measures, dividing the attacks into several stages and launching all the modules manually. So that even if the attack is detected, it would take security researchers much time and effort to investigate it. To mask malicious activity, the hackers used a three-layer C&C infrastructure and pretended to be Russians.”

Through analysis of compromised networks, Group-IB identified IP addresses of universities in the US, Canada, Great Britain, India, Bulgaria, Poland and Turkey; pharmaceutical companies in Japan and China; and government subnets in various countries that Group-IB was abusing to run its attacks.

More details on Lazarus Group’s attack methodology for financial institutions, the malware employed, and the main targets of the attackers are available via a Group-IB blog post here. The full report is available here. ®

Sponsored: The Joy and Pain of Buying IT - Have Your Say


Biting the hand that feeds IT © 1998–2017