Bioinformatics is essential for the management of data in modern biology and medicine. By finding more secure solutions we will be creating greater opportunity and more efficiency in medical research. ~Audrey Bentley
Bioinformatics is essential for the management of data in modern biology and medicine. By finding more secure solutions we will be creating greater opportunity and more efficiency in medical research. ~Audrey Bentley
Originally considered a criminal group that became an APT (Advanced Persistent Threat)
Undeniable ties to North Korea
Sometimes referred to as “Guardians of Peace” or “Whois Team”
Years Active: 2007 to Current(2022)
The U.S Intelligence community refer to malicious cyber activity by the North Korean Government as HIDDEN COBRA
The FBI considers the Lazarus Group a North Korean “State-sponsored hacking organization”
The NSA & The FBI both consider this group high on the most dangerous entities to national security list
Operation Flame took place in 2007 and used first generation malware against the South Korean government. The group’s first few attacks were quite simple in complexity. They would take down South Korean government websites by flooding their servers with requests.
Operation Troy in 2009 utilized the Mydoom & Dozer malware to launch a large-scale (but not sophisticated) DDoS (Distributed Denial of Service) against U.S. and South Korean websites.
“Ten Days of Rain” The group landed another DDoS attack but this one was much more sophisticated. The target was mainly the media, financial, and critical infrastructure in South Korea.
The Sony Pictures attack took place in 2014. A hacker group that referred to themselves as the “Guardians of the Peace” released confidential data directly from the film studio Sony Pictures Entertainment (SPE). Included in the leaked data was information about Sony Pictures employees, including; emails between employees, salaries, unreleased films, movie scripts, and even information about employees’ family members. The attackers then proceeded to employ a variant of the Shamoon Wiper malware to erase SPE’s computer infrastructure.
The group issued a demand during the attack, they wanted SPE to withdraw its then upcoming film “The Interview”, a comedy movie starring Seth Rogen and James Franco where the plot was to assassinate North Korean leader Kim Jung-un. They also threatened terroristic attacks at any cinema that dared to screen the film. No major U.S. theaters ended up screening the movie. Sony also cancelled the film’s premiere, however they did end up doing a straight to download digital release.
Side note: Sony Pictures became aware of the hack on Monday, November 24, 2014 however on November the 21st some of their executives had received an email from a group called “God’s Apstls” demanding monetary compensation or “Sony Pictures will be bombarded as a whole". This email was not taken seriously and was basically ignored.
A little less than a month later, on December 17th, U.S. government officials expressed their belief that the North Korean government was “centrally involved” in the attacks, however a few days later the FBI made a formal statement.
Similarities between the malicious hacking tools and techniques used by North Korean attackers, in particular, the Cyber Warfare Bureau 121 on South Korean targets.
More similarities in particular lines of code, data deletion methods, encryption algorithms, and compromised networks.
The FBI discovered that several Internet Protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hard-coded into the data deletion malware used in this attack.
There were also tools used in the Sony Pictures attack that had similarities to a cyber attack in March of the previous year against South Korean banks and media outlets, which were carried out by North Korea.
The use of proxy IP addresses that originated within North Korea, which led to the FBI saying the hackers were “sloppy”.
“On January 2, 2015 President Obama issued an Executive Order installing additional economic sanctions on North Korea for the Sony Pictures hack.
”
Formal charges were issued to North Korean Citizen Park Jin-hyok for his part in the SPE hacks, on September 6, 2018. The DOJ (Department of Justice) stated that Park was a hackers who worked for the Reconnaissance General Bureau (North Korea’s equivalent of the CIA). They also asserted that Park was partially responsible for arranging the WannaCry ransomware attack of 2017, at least having developed part of the ransomware software.
The WannaCry ransomware attack of 2017 was massive and hit institutions all over the world. It took place on May 12, 2017. The attack itself lasted 7 hours and 19 minutes. It is estimated to have affected approximately 200,000 computers in 150 different countries. This was actually one of the first attacks to travel via a cryptoworm (a computer virus that can travel between computers using networks, exploiting the TCP port 445). This was extremely problematic because in order to be infected there was no need to click on a link, the malware could spread autonomously. The port 445 vulnerability allowed the malware to just move freely across intranets, and with that, the ability to infect thousands of computers at a rapid pace.
The virus exploited a vulnerability in the Windows OS (Operating System) then encrypted the computer’s data in return for a Bitcoin worth about $300 to get the key. The ransom would double after three days and if not paid within a week the malware would delete the encrypted data files. A legitimate piece of software, Windows Crypto, was used to scramble the files. After the encryption was complete the filename Wincry was attached (Wincry is where the name WannaCry came from). Two additional exploits, DoublePulsar and EternalBlue, were also used by the malware to make it a cryptoworm. Thankfully Marcus Hutchins was able to bring the attack to an end. He had received a copy of the virus from a friend at a security research company, and discovered a kill switch hardcoded into the virus. The actual exploits used in the attack were drawn from a cache of exploits that had been stolen from the NSA in 2016 by the Shadow Brokers (Russian backed hacking group). Apparently they tried to auction it off at first..but eventually ended up giving the eploit away for free.
The hackers in this group have become more sophisticated with each passing year. Recently they’ve taken to targeting the system admins of crypto-currency firms. They craft phishing messages with fraudulent documents and send them to the admin’s personal linkedIN account. Typically these messages are very well crafted and come across as a legitimate offer from a blockchain company that perfectly matches the admin’s profile. This naturally sparks the curiosity of the user and they click on the attached documents ending in a successful phishing attack. In 2021 alone they stole approximately $400 million. They’ve continued to stay busy and have far exceeded that amount in 2022. Some of their attacks they’ve carried out this year:
Lazarus Group attacked the blockchain based decentralized finance platform known as BadgerDAO causing them to lose $120 million in crypto tokens.
They were also blamed for the huge crypto breach of developer group Sky Mavis, for a staggering $625 million. The attack was done only in two transactions.
The hackers in this group also stole as much as $100 million in crypto assets from U.S. company, Horizon Bridge. A service from Harmony Blockchain that permits assets to be transferred to other blockchains.
There are very many overlaps with various other groups, as well as a bunch of subgroups affiliated with Lazarus Group. I also only covered a very tiny portion of the attacks associated with them. For more information I recommend heading over to these links…
Lazarus Group Profile at MITRE ATT&CK