APT 38 — “Lazarus Group”
APT38, also known as the “Lazarus Group*”, is a North Korean state-sponsored threat group that specializes in financial cyber operations and is active since at least 2014. APT38 is particularly known for its financially motivated cyber-espionage campaigns, and it has targeted financial institutions to steal funds and has targeted banks, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, where stole $81 million, as well as attacks against Bancomext (2018) and Banco de Chile (2018).
* North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
KNOWN CAMPAIGNS:
DarkSeoul (2012)
Targets: South Korean organizations, including banks and media companies aiming espionage and disruption
Techniques and Methods: Distributed malware, wiper attacks, and data destruction.
Operation Troy (Sony Pictures Hack) (2013–2014)
Target: Sony Pictures Entertainment aiming retaliation against the movie “The Interview” and disruption
Techniques and Methods: Spear-phishing, malware deployment (Destover wiper), and data exfiltration.
Operation Blockbuster (2014–2016)
Targets: global financial institutions, media, and military organizations aiming cyber espionage and financial theft
Techniques and Methods: Spear-phishing, malware deployment (Duuzer, Hangman, etc.), and data exfiltration.
SWIFT Attacks (2016)
Targets: Global financial institutions, using the SWIFT network aiming financial theft.
Techniques and Methods: Manipulation of SWIFT transactions, fraudulent fund transfers.
WannaCry Ransomware Attack (2017)
Targets: Global organizations, including healthcare, government, and businesses aiming financial gain through ransom payments.
Techniques and Methods: Exploitation of the EternalBlue vulnerability, ransomware deployment.
AppleJeus (2018–2019)
Targets: Cryptocurrency exchanges aiming cryptocurrency theft.
Techniques and Methods: Trojanized cryptocurrency trading applications.
Crimson RAT (APT38) (Probably still ongoing)
Targets: Financial institutions, especially in Asia aiming financial theft.
Techniques and Methods: Custom malware (Crimson RAT) and SWIFT attacks.
OPERATION TROY (SONY PICTURES HACK) CAMPAIGN:
The Sony Pictures hack of 2014 was a high-profile cyberattack on Sony Pictures Entertainment, and took place in late November 2014. It had significant consequences, including the exposure of sensitive data, disruption of business operations, and a major impact on the entertainment industry.
Here are key details about the Sony Pictures hack:
§ Timeline: The cyberattack on Sony Pictures occurred in late November 2014 and its impact continued to unfold over the following weeks.
§ Author: The U.S. government attributed the cyberattack to North Korea, specifically to the Lazarus Group, based on various indicators, including the use of specific malware and infrastructure associated with the group.
§ Objective: The attack was widely seen as retaliation against Sony Pictures for its production and planned release of the comedy film “The Interview”, where a fictional plot to assassinate North Korea’s leader, Kim Jong-un was depicted. The North Korean government had publicly condemned the film.
§ Techniques: The attackers gained initial access to Sony Pictures’ network through a combination of social engineering and spear-phishing emails, which contained malicious attachments that, when opened, allowed the attackers to deploy malware within the network.
§ Malware: Was deployed a destructive malware known as “Destover,” which functioned as a wiper. It was designed to overwrite data on infected systems, rendering them inoperable. The malware was also used to display a red skeleton image accompanied by the phrase “GOP” (Guardians of Peace).
§ Data Exfiltration: In addition to the destructive actions, the attackers exfiltrated a large volume of sensitive data from Sony Pictures’ network, including internal emails (later leaked online by the attackers), unreleased films, employee records, and other confidential information.
§ Impact: It had a severe impact on Sony Pictures. Business operations were disrupted, and the exposure of sensitive data led to significant reputational and financial losses.
TACTICS, TECHNIQUES, AND PROCEDURES (TTPS)
The attack involved a variety of tactics, techniques, and procedures (TTPs) throughout different stages of the cyber attack lifecycle. Here are some key TTPs associated with the Sony Pictures hack, mapped to the MITRE ATT&CK framework:
1. Initial Access:
- Technique: Spearphishing Attachment (T1566.001)
The Lazarus Group initiated the Sony Pictures hack by crafting spear-phishing emails specifically tailored to Sony Pictures employees. These emails contained malicious attachments designed to exploit human curiosity, leading unsuspecting users to open them and triggering the initial compromise.
2. Execution:
- Technique: PowerShell (T1059.001)
PowerShell scripts played a crucial role in executing the malicious code deployed by the Lazarus Group. These scripts allowed the attackers to run commands, execute malware, and establish a foothold within the compromised systems.
3. Persistence:
- Technique: Registry Run Keys / Startup Folder (T1547.001)
For persistence, the Lazarus Group manipulated the Windows Registry by adding entries to the Run keys or Startup folder. This ensured that their malicious code ran automatically upon system startup, maintaining a lasting presence within Sony Pictures’ network.
4. Privilege Escalation:
Technique: Exploitation of Vulnerability (T1068)
Exploiting vulnerabilities in software or the operating system was a key. By doing so, they gained unauthorized access and escalated privileges, allowing them to move laterally within Sony Pictures’ network.
5. Defense Evasion:
- Technique: Obfuscated Files or Information (T1027)
They employed obfuscation techniques to disguise their malicious files and information, making it challenging for security solutions to detect and block their activities as they moved stealthily within Sony Pictures’ network.
6. Credential Access:
- Technique: Credential Dumping (T1003)
Credential dumping was utilized by the attackers to extract usernames and passwords from compromised systems within Sony Pictures’ network. This allowed them to escalate privileges and move laterally, gaining access to sensitive areas of the network.
7. Discovery:
- Technique: System Information Discovery (T1082)
The attackers performed systematic information discovery to understand the configuration of Sony Pictures’ systems. This knowledge helped them plan and execute subsequent stages of the attack more effectively.
8. Collection:
- Technique: Data from Local System (T1005)
As part of their collection phase, the attackers gathered valuable data from local systems within Sony Pictures’ network. This included sensitive information and intellectual property, contributing to the overall impact of the breach.
9. Exfiltration:
- Technique: Data Exfiltration Over Command and Control Channel (T1041)
The Lazarus Group established command and control channels to communicate with compromised systems. Using these channels, they exfiltrated large volumes of stolen data from Sony Pictures’ network, transferring it to servers under their control and later leaking them online.
10. Impact:
- Technique: Data Encrypted for Impact (T1486)
To cause significant disruption, the Lazarus Group deployed the Destover wiper malware, encrypting files on a massive scale. This not only rendered files inaccessible but also served as a destructive element in the attack, impacting Sony Pictures’ operations profoundly.
INDICATORS OF COMPROMISE (IOCS)
Indicators of Compromise (IOCs) from the Sony Pictures hack have been extensively investigated by cybersecurity researchers and analysts. However, due to the sensitivity of the incident, not all IOCs may be publicly disclosed. Here are some general types of IOCs associated with the Sony Pictures hack:
1. Malicious Files:
File Hashes: Hash values of known malicious files, including the Destover wiper and other malware variants used in the attack.
2. Malicious Infrastructure:
IP Addresses: IP addresses associated with command and control (C2) servers used by the attackers for communication and control.
Domain Names: Domains linked to the infrastructure used in the attack, such as for hosting malicious payloads or for phishing.
3. Phishing Artifacts:
Email Addresses: Addresses used in spear-phishing campaigns targeting Sony Pictures employees.
Phishing URLs: URLs contained in malicious emails leading to sites hosting exploit kits or malicious content.
4. Network Artifacts:
Network Traffic Patterns: Unusual or suspicious patterns of network traffic that might indicate lateral movement, data exfiltration, or communication with C2 servers.
5. Timestamps and Log Entries:
Event Logs: Anomalies or specific log entries in system and network logs during the time of the attack.
Potential Recommendations For Defense
The first important thing to observe here is that is all started with spearphishing, therefore is mandatory that all levels of the organizations are aware of cyber threats, and constantly training is required.
Second, is also mandatory to keep all software patched and up to date and from time to time run a system vulnerabilities scan and check for any unusual behavior, since APTs usually stay for a long time inside the network.
