North Korean attackers out themselves with operational security failure

Thanks in part to an operational security error by an attacker, security researchers from WithSecure™  have linked a cyber attack campaign back to North Korea’s notorious Lazarus Group.

Lazarus Group is an advanced persistent threat (APT) that’s widely believed to be a part of North Korea’s Foreign Intelligence and Reconnaissance Bureau. Researchers discovered the group’s latest campaign after a suspected ransomware attack was detected at an organization protected by the WithSecure™ Elements cloud-native security platform.

Upon investigating the attack, WithSecure™ researchers uncovered more evidence indicating that the attack was part of a larger intelligence-gathering campaign rather than a ransomware incident. Based on the collected evidence, the researchers were able to link the campaign to Lazarus Group, who was targeting medical research and energy organizations with the intent to commit espionage.

Specific targets of the campaign identified by the researchers included a healthcare research organization, a manufacturer of technology used in the energy, research, defense, and healthcare sectors, as well as the chemical engineering department of a leading research university.  “While this was initially suspected to be an attempted BianLian ransomware attack, the evidence we collected quickly pointed in a different direction. And as we collected more evidence we became more confident that the attack was conducted by a group connected to the North Korean government, eventually leading us to confidently conclude it was the Lazarus Group,” said WithSecure™ Senior Threat Intelligence Researcher Sami Ruohonen.

“During our investigation we found that this was part of a larger campaign with expanded targeting, not just an isolated incident, and it is extremely unusual to be able to link a campaign so strongly to a perpetrator as we have been able to here,” added WithSecure™ Senior Threat Intelligence Analyst Stephen Robinson.

WithSecure™ researchers were able to connect the campaign to Lazarus Group based on its use of tactics, techniques, and procedures used in previous attacks by the group and other attackers associated with North Korea.

The researchers found several noteworthy developments in this campaign when compared to previous Lazarus Group activity, including:

  • The use of new infrastructure, including the sole reliance of IP addresses without domain names (in a departure from previous attacks).
  • A modified version of the Dtrack information stealing malware used by Lazarus Group and Kimsuky (another group associated with North Korea) in previous attacks.
  • A new version of GREASE–malware that allows attackers to create new administrator accounts with remote desktop protocol privileges that bypasses firewalls.

One notable piece of evidence discovered by researchers was that the attackers briefly made use of one of less than a thousand IP addresses belonging to North Korea. That IP address was observed connecting to an attacker-controlled webshell for a short time, leading researchers to suspect it was a manual error made by a member of the group.

However, mistakes like this should not be misinterpreted by defenders as grounds to lower their guard, according to WithSecure™ Head of Threat Intelligence Tim West. “In spite of the opsec fails, the actor demonstrated good tradecraft and still managed to perform considered actions on carefully selected endpoints. Even with accurate endpoint detection technologies, organizations need to continually consider how they respond to alerts, and also integrate focused threat intelligence with regular hunts to provide better defense in depth, particularly against capable and adept adversaries,” he said.

The full research is now available at https://labs.withsecure.com/publications/no-pineapple-dprk-targeting-of-medical-research-and-technology-sector.