The Story Behind the Mastermind of the Largest Heist in Web3 History, the Lazarus Group

Source: Wikipedia

Translation Source: Yobo, Foresight News

The following content is translated from the Wikipedia article "Lazarus Group":

The Lazarus Group (also known as the "Guardians" or "Peace or Whois Team") is a hacker group composed of an unknown number of individuals, reportedly controlled by the North Korean government. Although understanding of the group is limited, researchers have attributed multiple cyberattacks to them since 2010.

The group initially started as a criminal gang but is now recognized as an advanced persistent threat organization due to its attack intentions, the threats it poses, and the various tactics used during operations. They have been given various aliases by cybersecurity agencies, such as "Hidden Cobra" (used by the U.S. Department of Homeland Security to refer to malicious cyber activities conducted by the North Korean government) and "ZINC" or "Diamond Sleet" (Microsoft's terms). According to defector Kim Kuk-song from the country, the group is known within North Korea as the "414 Liaison Office."

The Lazarus Group is closely linked to North Korea. The U.S. Department of Justice has stated that the group is part of the North Korean government's strategy aimed at "disrupting global cybersecurity... and violating sanctions to generate illicit revenue." North Korea gains various benefits through its cyber operations, needing only to maintain a very lean team to pose a "global" asymmetric threat (especially against South Korea).

Development History

The earliest known attacks by the group were the "Trojan Operation" from 2009 to 2012. This was a cyber espionage campaign that utilized relatively unsophisticated Distributed Denial of Service (DDoS) attacks targeting the South Korean government in Seoul. Attacks were also carried out in 2011 and 2013. While not confirmed, a 2007 attack on South Korea is also suspected to be their doing. A notable attack by the group occurred in 2014, targeting Sony Pictures. This attack employed more sophisticated techniques, indicating the group's increasing maturity over time.

It was reported that in 2015, the Lazarus Group stole $12 million from Ecuador's Banco del Austro and $1 million from Vietnam's TPBank. They also targeted banks in Poland and Mexico. In a 2016 bank heist, they conducted an attack on a bank, successfully stealing $81 million, which is attributed to the group. In 2017, reports emerged that the Lazarus Group stole $60 million from the Far Eastern International Bank in Taiwan, although the actual amount stolen remains unclear, and most of the funds have been recovered.

The true mastermind behind this organization is currently unknown, but media reports suggest a close association with North Korea. In 2017, a Kaspersky Lab report stated that the Lazarus Group tends to focus on espionage and penetration-type cyberattacks, while an internal subdivision referred to by Kaspersky as "Bluenoroff" specifically engages in financial cyberattacks. Kaspersky identified multiple attacks worldwide and found a direct IP address association with the country in the case of Bluenoroff.

However, Kaspersky also acknowledged that code reuse could be a form of "false flag operation" aimed at misleading investigators and framing North Korea, as seen in the global "WannaCry" ransomware cyberattack that copied the U.S. National Security Agency's technology. This ransomware exploited the NSA's "EternalBlue" vulnerability, which was disclosed by a hacker group called the "Shadow Brokers" in April 2017. In 2017, a Symantec report suggested that the "WannaCry" attack was highly likely the work of the Lazarus Group.

2009 "Operation Troy"

The first major hacking incident involving the Lazarus Group occurred on July 4, 2009, marking the beginning of "Operation Troy." This attack utilized the "MyDoom" and "Dozer" malware to launch large-scale but unsophisticated DDoS attacks against U.S. and South Korean websites. Approximately 36 websites were targeted in this wave of attacks, with the insertion of "Independence Day" text in the Master Boot Record (MBR).

2013 South Korean Cyberattacks ("Operation 1" / "Dark Seoul" Operation)

Over time, the organization's attack methods became more sophisticated; their technology and tools also became more mature and effective. The "Ten Days of Rain" attack in March 2011 targeted South Korean media, financial institutions, and critical infrastructure using more complex DDoS attacks originating from compromised computers within South Korea. On March 20, 2013, the "Dark Seoul" operation was launched, which was a data-wiping attack against three South Korean broadcasting companies, financial institutions, and an internet service provider. At that time, two other groups calling themselves the "New Roman Network Legion" and "WhoIs Team" claimed responsibility for the attack, but researchers were unaware that the mastermind behind it was the Lazarus Group. Today, researchers know that the Lazarus Group was behind these destructive attacks.

Late 2014: Sony Pictures Entertainment Breach

On November 24, 2014, the Lazarus Group's attacks reached a peak. On that day, a post appeared on Reddit stating that Sony Pictures had been breached by unknown means, with the attackers claiming to be the "Guardians of Peace." A large amount of data was stolen and gradually leaked in the days following the attack. A person claiming to be a member of the organization said in an interview that they had been stealing Sony's data for over a year.

The hackers were able to access unreleased movies, partial movie scripts, future movie plans, top executives' salary information, emails, and personal information of about 4,000 employees.

Early 2016 Investigation: "Operation Blockbuster"

Code-named "Operation Blockbuster," an alliance of multiple security companies led by Novetta analyzed malicious software samples discovered in various cybersecurity incidents. Using this data, the team analyzed the hackers' modus operandi. They linked the Lazarus Group to multiple attacks through code reuse patterns. For example, they employed a little-known encryption algorithm on the internet—the "Caracasis" encryption algorithm.

2016 Bank Network Heist

In February 2016, a bank heist occurred. Security hackers used the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network to send 35 fraudulent payment instructions, attempting to illegally transfer nearly $1 billion from a central bank in a certain country held at the Federal Reserve Bank of New York. Five of the fraudulent payment instructions successfully transferred $101 million, with $20 million going to Sri Lanka and $81 million to the Philippines. The Federal Reserve Bank of New York became suspicious due to a misspelling in one instruction, thwarting the remaining 30 transactions involving $850 million. Cybersecurity experts stated that the mastermind behind this attack was the Lazarus Group from a certain country.

May 2017 "WannaCry" Ransomware Attack

The "WannaCry" attack was a large-scale ransomware cyberattack. On May 12, 2017, from the UK's National Health Service (NHS) to Boeing and even some universities in China, numerous institutions worldwide were affected. The attack lasted for 7 hours and 19 minutes. Europol estimated that this attack affected nearly 200,000 computers in 150 countries, with major impacts in Russia, India, Ukraine, and Taiwan. This was one of the earliest instances of a cryptoworm attack. A cryptoworm is a type of malware that spreads between computers over a network without the need for direct user interaction—in this attack, it exploited the TCP port 445. Computers infected with the virus did not require clicking on malicious links; the malware could propagate automatically, spreading from one computer to a connected printer, then to other computers on nearby connected wireless networks, and so on. The vulnerability in port 445 allowed the malware to spread freely within internal networks, rapidly infecting thousands of computers. The "WannaCry" attack was one of the first large-scale uses of a cryptoworm.

Attack Method: The virus exploited a vulnerability in the Windows operating system, then encrypted the computer data, demanding around $300 worth of Bitcoin to obtain the decryption key. To prompt payment from the victims, the ransom would double after three days, and if not paid within a week, the malware would delete the encrypted data files. The malware utilized a legitimate software developed by Microsoft called "Windows Crypto" to encrypt files. After encryption, the file names would have the "Wincry" suffix added to them, hence the origin of the name "WannaCry." "Wincry" formed the basis of the encryption, but the malware also leveraged two other vulnerabilities, "EternalBlue" and "DoublePulsar," turning it into an encryption worm. "EternalBlue" could automatically spread the virus through networks, while "DoublePulsar" would activate the virus on the victim's computer. In other words, "EternalBlue" propagated infected links to your computer, and "DoublePulsar" clicked on it on your behalf.

Security researcher Marcus Hutchins received a sample of the virus from a friend at a security research company and discovered a "kill switch" hardcoded into the virus, halting the attack. The malware would periodically check if a specific domain name was registered and only continue with the encryption operation if the domain name did not exist. Hutchins identified this check mechanism and subsequently registered the related domain name at 3:03 PM UTC. The malware immediately ceased spreading and infecting new devices. This turn of events was quite intriguing and provided a lead to track down the virus authors. Typically, thwarting malware would require hackers and security experts to engage in a months-long battle, so easily emerging victorious was unexpected. Another unusual aspect of this attack was that files could not be recovered even after paying the ransom: the hackers received only $160,000 in ransom, leading many to believe that their goal was not financial gain.

The ease with which the "kill switch" was bypassed and the meager ransom earnings led many to believe that this attack was state-sponsored; its motive was not financial gain but rather creating chaos. Following the attack, security experts traced the "DoublePulsar" vulnerability back to the United States National Security Agency, as the vulnerability was initially developed as a cyber weapon. Subsequently, the Shadow Brokers hacker group stole this vulnerability, initially attempting to auction it off without success, and eventually opted to release it for free. The NSA then informed Microsoft of this vulnerability, and Microsoft released an update on March 14, 2017, less than a month before the attack occurred. However, this was not enough, as the update was not mandatory, and by May 12, most computers vulnerable to this attack had not been patched, resulting in significant destruction from this attack.

Aftermath: The U.S. Department of Justice and UK authorities later determined that the "WannaCry" attack was carried out by the North Korean hacker group Lazarus Group.

2017 Cryptocurrency Attack Event

In 2018, Recorded Future released a report stating that the Lazarus Group was associated with attacks against cryptocurrency Bitcoin and Monero users, primarily targeting South Korean users. These attacks were reported to be technically similar to previous attacks using the "WannaCry" ransomware and attacks against Sony Pictures. One of the methods used by Lazarus Group hackers was exploiting a vulnerability in the South Korean word processing software Hangul (developed by Hancom). Another method was to send spear-phishing lures containing malware, targeting South Korean students and users of cryptocurrency exchanges like Coinlink.

If users opened the malware, their email addresses and passwords would be stolen. Coinlink denied that its website or user email addresses and passwords were compromised by hackers. The report concluded that "this series of attacks at the end of 2017 demonstrates that a certain country's interest in cryptocurrency shows no signs of abating, and we now know this interest extends to a wide range of activities including mining, ransomware attacks, and direct theft...". The report also noted that a certain country used these cryptocurrency attacks to circumvent international financial sanctions.

In February 2017, hackers from a certain country stole $7 million from the South Korean cryptocurrency exchange Bithumb. Another South Korean Bitcoin exchange, Youbit, was attacked in April 2017 and then suffered another attack in December of the same year, resulting in the theft of 17% of its assets and leading to bankruptcy. The Lazarus Group and hackers from a certain country were identified as the masterminds behind these attacks. In December 2017, the cryptocurrency cloud mining market NiceHash lost over 4,500 bitcoins. An updated investigation linked this attack to the Lazarus Group.

September 2019 Attack Event

In mid-September 2019, the U.S. issued a public alert, revealing a new malware called "ElectricFish." Since the beginning of 2019, a certain country's operatives have carried out five major global cyber heists, including successfully stealing $49 million from an institution in Kuwait.

End-of-2020 Pharmaceutical Company Attack Event

Due to the ongoing COVID-19 pandemic, pharmaceutical companies became a primary target for the Lazarus Group. Members of the Lazarus Group used spear-phishing techniques, posing as health officials, to send malicious links to pharmaceutical company employees. Several large pharmaceutical companies are believed to have been targeted, but only AstraZeneca, a joint venture with British and Swedish interests, has been confirmed so far. According to Reuters, numerous employees were targeted, many of whom were involved in COVID-19 vaccine development. The purpose of these attacks by the Lazarus Group is currently unclear but may include: stealing sensitive information for profit, carrying out extortion schemes, and enabling foreign powers to access proprietary research on the COVID-19 virus. AstraZeneca has not yet commented on the incident, with experts suggesting that no sensitive data breaches have occurred.

January 2021 Cyber Attack Targeting Security Researchers

In January 2021, both Google and Microsoft publicly reported that a group of hackers from a certain country had targeted security researchers through social engineering tactics, with Microsoft specifically attributing the attack to the Lazarus Group.

The hackers created multiple user profiles on platforms such as Twitter, GitHub, and LinkedIn, posing as legitimate software vulnerability researchers and engaging with posts and content from other members of the security research community. They would then directly contact specific security researchers under the guise of collaborative research, leading the victims to download files containing malware or to visit blog posts on websites controlled by the hackers.

Some victims who visited the blog posts reported that despite using fully patched versions of Google Chrome, their computers were still compromised, suggesting that the hackers may have exploited a previously unknown Chrome zero-day vulnerability for the attack; however, Google stated upon the report's release that they could not pinpoint the exact intrusion method.

March 2022 Axie Infinity Chain Game Attack

In March 2022, the Lazarus Group was implicated in stealing $620 million worth of cryptocurrency from the Ronin network used by the Axie Infinity game. The FBI stated, "Through investigation, we confirm that the Lazarus Group and APT38 (network actors associated with North Korea) are the masterminds behind this theft."

June 2022 Horizon Bridge Attack

The FBI confirmed that the North Korean malicious network actor organization Lazarus Group (also known as APT38) was the mastermind behind the $100 million virtual currency theft incident reported on June 24, 2022, from Harmony's Horizon Bridge.

2023 Other Crypto-Related Attack Events

A report released by the blockchain security platform Immunefi stated that the Lazarus Group was responsible for over $300 million in losses in the 2023 cryptocurrency hacking events, accounting for 17.6% of the total losses that year.

June 2023 Atomic Wallet Attack: In June 2023, users of the Atomic Wallet service had over $100 million worth of cryptocurrency stolen, an event subsequently confirmed by the FBI.

September 2023 Stake.com Hack: In September 2023, the Federal Bureau of Investigation confirmed that the online casino and gambling platform Stake.com was hacked, with $41 million worth of cryptocurrency stolen by the Lazarus Group.

U.S. Sanctions

On April 14, 2022, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) under the country's Sanctions Regulations section 510.214, added the Lazarus Group to the Specially Designated Nationals (SDN) List.

2024 Cryptocurrency Attack

According to Indian media reports, a local cryptocurrency exchange named WazirX was attacked by the group, resulting in the theft of $234.9 million worth of cryptocurrency assets.

Personnel Development

It is rumored that some North Korean hackers are sent to Shenyang, China for specialized training to learn how to implant various types of malware into computers, computer networks, and servers. Within North Korea, Kim Chaek University of Technology, Kim Il-sung University, and Mirim College undertake related educational tasks, selecting the most outstanding students nationwide to receive six years of special education. In addition to university education, "some of the best programmers ... will be sent to Mirim College or Mirim College for further study."

Organizational Branches

The Lazarus Group is believed to have two branches.

·BlueNorOff

BlueNorOff (also known as APT38, "Stellar Llama," "BeagleBoyz," "NICKEL GLADSTONE") is an economically motivated organization that conducts illegal fund transfers by forging Society for Worldwide Interbank Financial Telecommunication (SWIFT) instructions. Mandiant refers to it as APT38, while Crowdstrike calls it the "Stellar Llama."

According to a 2020 U.S. Army report, BlueNorOff has approximately 1700 members who focus on the sustained assessment and exploitation of enemy networks' vulnerabilities and systems, engaging in financial cybercrime activities to secure economic benefits for the regime or control related systems. From 2014 to 2021, their targets included at least 16 institutions in 13 countries, such as Bangladesh, Chile, India, Mexico, Pakistan, the Philippines, South Korea, Taiwan, Turkey, and Vietnam. It is believed that these illicit gains were used for the country's missile and nuclear technology development.

BlueNorOff's most notorious attack was the 2016 bank heist, where they attempted to illegally transfer nearly $1 billion from a certain country's central bank's account at the New York Federal Reserve Bank via the SWIFT network. After partially succeeding in some transactions ($20 million to Sri Lanka and $81 million to the Philippines), the New York Federal Reserve Bank became suspicious due to a spelling error in one instruction, halting the remaining transactions.

Malware associated with BlueNorOff includes: "DarkComet," "Mimikatz," "Nestegg," "Macktruck," "Wantcry," "Whiteout," "Quickcafe," "Rawhide," "Smoothride," "TightVNC," "Sorrybrute," "Keylime," "Snapshot," "Mapmaker," "net.exe," "sysmon," "Bootwreck," "Cleantoad," "Closeshave," "Dyepack," "Hermes," "Twopence," "Electricfish," "Powerratankba," and "Powerspritz," among others.

BlueNorOff's common tactics include phishing, backdooring, exploiting vulnerabilities, watering hole attacks, executing code on systems by exploiting outdated and insecure Apache Struts 2 versions, strategically hacking websites, and accessing Linux servers. There are reports suggesting they sometimes collaborate with cybercriminal hackers.

· AndAriel

AndAriel, also spelled Andarial, goes by other aliases: Silent Chollima, Dark Seoul, Rifle, and Wassonite. Logically, its characteristic is to target South Korea. The nickname "Silent Chollima" stems from the organization's secretive nature [70]. Any institution in South Korea could be targeted by AndAriel, including government agencies, defense institutions, and various economic landmarks.

According to a 2020 U.S. Army report, the AndAriel organization has around 1,600 members whose mission is to conduct reconnaissance, assess network vulnerabilities, and map out enemy networks for potential attacks. Apart from South Korea, they also target other countries' governments, infrastructures, and businesses. Their attack methods include exploiting ActiveX controls, South Korean software vulnerabilities, watering hole attacks, spear-phishing (macro virus method), attacking IT management products (such as antivirus software and project management software), and launching attacks through the supply chain (installers and updaters). The malware used includes: Aryan, Gh0st RAT, Rifdoor, Phandoor, and Andarat.

Persons Involved in Legal Actions

In February 2021, the U.S. Department of Justice filed a lawsuit against three members of the North Korean military intelligence agency Reconnaissance General Bureau—Park Jin Hyok, Jon Chang Hyok, and Kim Il Park—accusing them of participating in multiple hacking activities attributed to the Lazarus Group. Park Jin Hyok had been indicted as early as September 2018. These suspects are currently not detained in the United States. Additionally, one Canadian and two Chinese individuals have also been charged as money launderers and funders for the Lazarus Group.

Original Article Link