Government

Hacking tools used by North Korea’s Lazarus Group aimed at Russian targets

Check Point cautions that while it’s “problematic” to definitively pinpoint who’s responsible for such an attack, its “analysis reveals intrinsic connections to the tactics, techniques and tools used by the North Korean APT group[.]”

By Jeff Stone

February 19, 2019

Pyongyang, North Korea (Pixabay)

One of the United States’ biggest cyber adversaries has been targeting another, according to new research.

Security vendor Check Point Technologies on Tuesday published findings in which its researchers “were observing what seemed to be a coordinated North Korean attack against Russian entities.” The company cautions that it’s “problematic” to definitively pinpoint who’s responsible for such an attack, though “analysis reveals intrinsic connections to the tactics, techniques and tools used by the North Korean APT group[.]”

Lazarus has been blamed for highly publicized attacks on Sony Pictures, the Bangladesh Bank heist, and could be a key part of North Korean efforts to evade international sanctions by pursuing international espionage. The suspicious activity in this attack occurred “over the past few weeks,” the company said.

Check Point said its researchers were tracking malicious Microsoft Office documents that appeared to be designed specifically targeted at Russian victims. A closer inspection of the hacking tools revealed that they were part of KEYMARBLE, a malware family the U.S. Department of Homeland Security described in 2018 as a variant used by the North Korean government.

“This incident … represents an unusual choice of victim by the North Korean threat actor,” Check Point researchers wrote. “Usually, these attacks reflect the geopolitical tension between the DPRK and nations such as the U.S., Japan and South Korea. In this case, though, it is probably Russian organizations who are the targets.”

Hackers typically used a ZIP file containing a PDF document and a Microsoft Word file laced with malware. The Word file used a Microsoft tool known as a VBScript to access a Dropbox URL, and ultimately download a nefarious EXE file. All of the documents had a Korean code page and cited “home” as the author identity.

Check Point did not identify the hacking targets by name, however one file contains a non-disclosure agreement that appears to come from StarForce Technologies, a software company headquartered in Moscow.

Hacking tools used by North Korea’s Lazarus Group aimed at Russian targets

More Like This

CISA ransomware warning program set to fully launch by end of 2024

Democratic operative behind Biden AI robocall says lawsuit won’t ‘get anywhere’

Proposed data broker regulations draw industry pushback on anonymized data exceptions, bulk thresholds

Top Stories

Iranian nationals charged with hacking U.S. companies, Treasury and State departments

FCC wants rules for ‘most important part of the internet you’ve probably never heard of’

More Scoops

North Korean government hackers target individuals of interest, infosec professionals

Prolific Russian hacking unit using custom backdoor for the first time

North Korean hacking ops continue to exploit Log4Shell

North Korean hackers posed as Meta recruiter on LinkedIn

Latest North Korean hack targeting cryptocurrency shows troubling evolution, experts say

‘They outsmarted us.’ 3CX CEO acknowledges mistakes handling potential supply chain cyberattack

Supply chain cyberattack with possible links to North Korea could have thousands of victims globally

Latest Podcasts

How Troy Hunt knows if you’ve been hacked and Washington tries to understand AI

Why pig butchering is the worst kind of online scam

How the FBI fights ransomware

Rumman Chowdhury on AI red-teaming; a Sisense supply chain attack

Government

Technology

Threats

Geopolitics