Group-IB Reports North Korean Hackers Attack Global Banks for Money and Data Theft

Group-IB, one of the global leaders in providing high-grade Threat Intelligence and best in class anti-fraud solutions vendor, has published a detailed report leaving no doubt that Lazarus, a cyber gang that attempted to steal about 1 billion USD from the Central Bank of Bangladesh and compromised a number of Polish banks, was connected to North Korea. Deep analysis of the cybercriminals’ Command & Control infrastructure as well as detailed Threat Intelligence information enabled the researchers to prove that the attacks were managed from Pyongyang. 

What is Lazarus?

Lazarus (also known as Dark Seoul Gang) is known to DDoS and hack governmental, military, and aerospace institutions worldwide. The earliest known attack that the group is responsible for is known as "Troy Operation", which took place from 2009-2012. This was a cyber-espionage campaign that utilized unsophisticated DDoS techniques to target the South Korean government in Seoul. They are also responsible for attacks in 2011 and 2013. A notable hack that the group is known for is the 2014 attack on Sony Pictures, when personal information about the employees and their families, internal e-mails, copies of then-unreleased Sony films as well as other information was published. The Sony attack used more sophisticated techniques and highlighted how advanced the group has become over time. When the global economic pressure on North Korea increased, Lazarus shifted its focus to international financial organizations for financial and espionage gains. In 2016, the group attempted to steal about $951mln from the Central Bank of Bangladesh SWIFT; however, a mistake in a payment request cut the criminals’ income to only $81 mln.

What’s so peculiar about Group-IB’s report?

Previous reports were focused on either malware analysis, or the attribution based on malware analysis. However, since the attribution based on malware code similarities is not always reliable, Group-IB has focused on infrastructure research. The company’s experts conducted an in-depth investigation of Lazarus activity and gained unique insight into their complex botnet infrastructure built by the hacker group to conduct their attacks. Despite the complex three-layer architecture, encrypted channels, VPN services, and other advanced techniques, the researchers managed to identify that the group was operating from Potonggang District, North Korea — perhaps coincidentally, where National Defense Commission was located, previously the highest military body in North Korea.  

Dmitry Volkov, Head of Threat Intelligence Department and сo-founder of Group-IB:

“Our research testified that North Korean Lazarus group is taking extraordinary precaution measures, dividing the attacks into several stages and launching all the modules manually. So that even if the attack is detected, it would take security researchers much time and effort to investigate it. To mask malicious activity, the hackers used a three-layer C&C infrastructure and pretended to be Russians.”

Through analysis of compromised networks, Group-IB identified IP addresses of universities in the US, Canada, Great Britain, India, Bulgaria, Poland, Turkey, pharmaceutical companies in Japan and China, as well as government subnets in various countries.

“Taking into consideration strengthening economic sanctions against North Korea, as well as the geopolitical tension in the region, we expect a new wave of Lazarus attacks against global financial institutions. With that said, we strongly recommend the banks learn more about targeted attacks' tactics and techniques, increase corporate cybersecurity awareness, and cooperate with the companies providing relevant Threat Intelligence,” Volkov added.

More details on Lazarus group’s attack methodology for financial institutions, the malware employed, and the main targets of the attackers are available on the official blog of Group-IB: http://blog.group-ib.com/lazarus .

Full report is available at http://www.group-ib.com/lazarus.html

About Group-IB

Group-IB is one of the global leaders in preventing and investigating high-tech crimes and online fraud. The company is recognized by Gartner as a threat intelligence vendor with strong cyber security focus and the ability to provide leading insight to the Eastern European region and recommended by the Organization for Security and Co-operation in Europe (OSCE). Group-IB runs the largest computer forensics laboratory in Eastern Europe with 100+ successful investigations worldwide, as well as an official computer emergency response team CERT-GIB. Group-IB’s Secure Bank and Secure Portal represent sophisticated malware and remote control detection systems. Based on the company’s unique Threat Intelligence, they have real-time data on compromised banking cards and users’ credentials. TDS appliance tracks network communications and detects anomalies to effectively resist targeted attacks and APTs.

Group-IB products and services are used by global clients, including Fortune 500 companies in the US, Western Europe, Middle East, Asia and Australia. Group-IB’s clients include top-tier banks and financial intuitions, FMCG brands and industrial corporations, oil and gas companies, software and hardware vendors, and telecommunications service providers from Australia, Argentina, Brazil, Canada, EU, Russian Federation, UK, USA and Ecuador. More information at http://www.group-ib.com/

Please feel free to contact us for additional information pr@group-ib.com.

Follow us on Twitter (@GroupIB_GIB) to stay tuned.

Source: Group-IB


Categories: Finance, Internet and e-Commerce, IT Security

Tags: banking, hackers, information security, infosec, threat intelligence


About Group-IB

View Website

Group-IB is one of the most innovative companies dedicated to preventing and investigating high-tech crimes and online fraud.

Group-IB
Sharikopodshipnikovskaya, bld. 1, Fl. 9
Moscow
Russian Federation