Security researchers on Feb. 2 reported that they have detected a cyberattack campaign by the North Korean Lazarus Group, targeting medical research and energy organizations for espionage purposes.
The attribution was made by threat intelligence analysts for WithSecure, which discovered the campaign while running down an incident against a customer it suspected was a ransomware attack. Further investigation — and a key operational security (OpSec) slip-up by the Lazarus crew — helped them uncover evidence that it was actually part of a wider state-sponsored intelligence gathering campaign being directed by North Korea.
“This was initially suspected to be an attempted BianLian ransomware attack,” says Sami Ruohonen, senior threat intelligence researcher for WithSecure. “The evidence we collected quickly pointed in a different direction. And as we collected more, we became more confident that the attack was conducted by a group connected to the North Korean government, eventually leading us to confidently conclude it was the Lazarus Group.”
From Ransomware to Cyber Espionage
The incident that led them to this activity began through an initial compromise and privilege escalation that was achieved through exploitation of known vulnerabilities in an unpatched Zimbra mail server at the end of August. Within a week, the threat actors had exfiltrated many gigabytes of data from the mailboxes on that server. By October, the attacker was moving laterally across the network and using living-off-the-land (LotL) techniques along the way. By November, the compromised assets started beaconing to Cobalt Strike command-and-control (C2) infrastructure, and in that time period, attackers exfiltrated almost 100GB of data from the network.
The research team dubbed the incident “No Pineapple” for an error message in a backdoor used by the bad guys, that appended <No Pineapple!> when data exceeded segmented byte size.
The researchers say they have a high degree of confidence that the activity squares up with Lazarus group activity based on the malware, TTPs, and a couple of findings that include one key action during the data exfiltration. They discovered an attacker-controlled Web shell that for a short time connected to an IP address belonging to North Korea. The country has fewer than a thousand such addresses, and at first, the researchers wondered if it was a mistake, before confirming it wasn’t.
“In spite of that OpSec fail, the actor demonstrated good tradecraft and still managed to perform considered actions on carefully selected endpoints,” says Tim West, head of threat intelligence for WithSecure.
As the researchers kept digging into the incident, they were also able to identify additional victims of the attack based on connections to one of the C2 servers controlled by the threat actors, suggesting a much broader effort than originally suspected, in keeping with espionage motives. Other victims included a healthcare research company; a manufacturer of technology used in energy, research, defense, and healthcare verticals; and a chemical engineering department at a leading research university.
The infrastructure observed by the researchers has been established since last May, with most of the breaches observed taking place in third quarter of 2022. Based on the victimology of the campaign, the analysts believe the threat actor was intentionally targeting the supply chain of the medical research and energy verticals.
Lazarus Never Stays Down for Long
Lazarus is a long-running threat group that’s widely thought to be run by North Korea’s Foreign Intelligence and Reconnaissance Bureau. Threat researchers have pinned activity to the group dating as far back as 2009, with consistent attacks stemming from it over the years since, with only short periods of going to ground in between.
The motives are both financial — it’s an important revenue-generator for the regime — and spy-related. In 2022, numerous reports emerged of advanced attacks from Lazarus that included targeting of Apple’s M1 chip, as well as fake job posting scams. A similar attack last April sent malicious files to targets in the chemical sector and IT, also disguised as job offers for highly attractive dream jobs.
Meanwhile, last week the FBI confirmed that Lazarus Group threat actors were responsible for the theft last June of $100 million of virtual currency from the cross-chain communication system from the blockchain firm Harmony, called Horizon Bridge. The FBI’s investigators report that the group used the Railgun privacy protocol earlier in January to launder more than $60 million worth of Ethereum stolen in the Horizon Bridge heist. Authorities say they were able to freeze “a portion of these funds.”