![]() Subgroup: Bluenoroff, APT 38, Stardust Chollimaĭescription: Since at least 2009, Lazarus Group has been observed as a highly sophisticated cybercriminal group that is known to be affiliated with the North Korean government (as per the Council of Foreign Relations – CFR).While the Lazarus Group tend to concentrate on espionage-style attacks, other subgroups such as Bluenoroff are specialists in cyberattacks that largely have a financial element. Researchers describe the Lazarus Group to have 3 subgroups as listed below. The method of phishing and credential theft was only observed once out of 13 campaigns tracked by CTI.Īlias: APT 38, APT-38, APT38, Andariel, AppleJeus, Appleworm, Bluenoroff,B ureau 121, Covellite, Dark Seoul, Group 77, Group77, Guardians of Peace, Hastati Group, Hidden Cobra, Labyrinth Chollima, Lazarus, NICKEL ACADEMY, NewRomanic Cyber Army Team, Operation DarkSeoul, Operation GhostSecret, Operation Troy, Silent Chollima, Stardust Chollima, Unit 121, Whois Hacking Team, ZINC The use of malware implants and lateral movement into the organization was a common tactic. The majority of the observed campaign carried out by the Lazarus Group involved heavy use of exploiting vulnerabilities in internet exposed systems including weakness in email/ VPN appliances. Other malware including AppleJeus, Emotet, FallChill, and Pebbledash were also leveraged in more than one campaign. While numerous malware were used by the Lazarus Group in these campaigns, the NukeSped RAT was the most observed malware in multiple campaigns followed by Cobalt Strike. Only a few of the malware were leveraged by the threat actor in multiple campaigns and most of the malware was seen in only one campaign. The majority of these attacks were focused on Industrial Conglomerate organizations, working in the financials, IT sector, and automobile sectors.īelow is the list of all the malware used by the Lazarus Group during these campaigns. In addition, attempts to exploit remote access solutions such as VPNs have been observed which have been the focal point of cyber criminals these days.įrom the campaign observed by CTI in 2022, Lazarus Group attacked organizations from more than 20+ industry verticals. From the trends, it can be seen that exploiting weaknesses in web application- related software and products is the most favored method by the Lazarus Group. The below figure illustrates the technologies that target the threat actor group during these campaigns. The Lazarus Group leveraged vulnerabilities and exploits in Application Server Software, Database Management Software, Operating systems, Virtual Private Network (VPN) Solutions, and Web Application to infiltrate the network and systems of potential victims. For example, Japan was the only target for the campaigns MUD NATIONALS, UNC029, and UNC028. ![]() However, as the above figure illustrates some of the targeted countries, we observed in 2022 campaigns were part of only one campaign and more interestingly, some of the campaigns were only targeted at specific nation-states. Lazarus Group is known to carry out attacks for financial gains and it can be assessed that the threat actor group similar to financially motivated cyber criminals may opt to attack multiple disparate targets for high returns. Countries like Singapore, India, and United Kingdom – while not at the top – remain to be of particular interest to the Lazarus Group and were also featured in multiple of their campaigns. ![]() The United States and Japan have the most favorable targets for Lazarus Group and were targeted in 9 and 8 campaigns respectively. The following figure illustrates the countries which were subject to the Lazarus Group campaigns. The below figure illustrates all the counties which were targeted in these campaigns. Out of the 13 campaigns observed by CTI in 2022, the majority of campaigns were targeted at multiple counties across the globe, however, a couple of the campaigns observed by CTI appeared to target specific nations. High-level summary of recent campaigns observed by CYFIRMA attributed to the Lazarus Group in 2022. The following list contains recent campaigns observed by CYFIRMA Threat Intelligence (CTI) that are attributed to the Lazarus Group and or its affiliates in 2022. Lazarus Group Recent Trends Recently Observed Campaigns
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |