The story behind Lazarus Group, the mastermind of the largest heist in Web3 history

Source: Wikipedia

Compiled by: Yobo, Foresight News

The following content is translated from the Wikipedia entry "Lazarus Group":

Lazarus Group (also known as "Guardians" or "Peace or Whois Team") is a hacker organization composed of an unknown number of individuals, allegedly controlled by the North Korean government. Although there is limited understanding of the organization, researchers have attributed multiple cyberattacks to them since 2010.

Originally a criminal gang, the organization has now been classified as an advanced persistent threat (APT) group due to its attack intentions, the threats it poses, and the various means it employs during operations. Cybersecurity agencies have given them several nicknames, such as "Hidden Cobra" (a term used by the U.S. Department of Homeland Security to refer to malicious cyber activities initiated by the North Korean government), as well as "ZINC" or "Diamond Sleet" (Microsoft's designation). According to defectors from the country, the organization is known domestically in North Korea as the "414 Contact Office."

Lazarus Group is closely linked to North Korea. The U.S. Department of Justice claims that the organization is part of the North Korean government's strategy to "disrupt global cybersecurity… and generate illegal revenue in violation of sanctions." North Korea can gain numerous advantages through cyber operations, requiring only a very lean team to pose a "global" asymmetric threat, particularly against South Korea.

Development History

The earliest known attack by the organization is the "Troy Operation" from 2009 to 2012. This was a cyber espionage campaign that targeted the South Korean government in Seoul using relatively simple distributed denial-of-service (DDoS) techniques. They also launched attacks in 2011 and 2013. Although it cannot be confirmed, an attack against South Korea in 2007 may also have been their doing. A notable attack by the organization occurred in 2014, targeting Sony Pictures. This attack employed more sophisticated techniques and demonstrated that the organization had become increasingly mature over time.

Reports indicate that in 2015, Lazarus Group stole $12 million from Ecuador's Banco del Austro and $1 million from Vietnam's VietinBank. They also targeted banks in Poland and Mexico. In a 2016 bank heist, they attacked a bank and successfully stole $81 million, which is also believed to be attributed to the organization. In 2017, it was reported that Lazarus Group stole $60 million from Taiwan's Far Eastern International Bank, although the actual amount stolen is unclear, and most of the funds have been recovered.

It remains unclear who the true masterminds behind the organization are, but media reports indicate a close association with North Korea. In 2017, Kaspersky Lab reported that Lazarus Group tends to focus on espionage and infiltration-type cyberattacks, while a sub-group within it, referred to by Kaspersky as "Bluenoroff," specializes in financial cyberattacks. Kaspersky discovered multiple attack incidents globally and found direct IP address links between Bluenoroff and the country.

However, Kaspersky also acknowledged that the reuse of code could be a "false flag operation" intended to mislead investigators and pin the blame on North Korea, especially since the global "WannaCry" worm attack copied techniques from the U.S. National Security Agency. This ransomware exploited the "EternalBlue" vulnerability developed by the NSA, which was publicly disclosed in April 2017 by a hacker group called "Shadow Brokers." In 2017, Symantec reported that the "WannaCry" attack was highly likely to be attributed to Lazarus Group.

2009 "Troy Operation"

Lazarus Group's first major hacking incident occurred on July 4, 2009, marking the beginning of the "Troy Operation." This attack utilized the "MyDoom" and "Pushdo" malware to launch large-scale but relatively unsophisticated DDoS attacks against websites in the U.S. and South Korea. This wave of attacks targeted approximately 36 websites and implanted the phrase "Independence Day Memorial" in the master boot record (MBR).

2013 South Korea Cyber Attack ("Operation 1" / "Dark Seoul" Operation)

Over time, the organization's attack methods became increasingly sophisticated; their techniques and tools also became more mature and effective. The "Ten-Day Rain" attack in March 2011 targeted South Korea's media, finance, and critical infrastructure, employing more complex DDoS attacks sourced from compromised computers within South Korea. On March 20, 2013, the "Dark Seoul" operation was launched, which was a data-wiping attack targeting three South Korean broadcasters, financial institutions, and an internet service provider. At the time, two other groups claiming responsibility for the attack, "New Roman Cyber Army" and "WhoIs Team," were unaware that Lazarus Group was the mastermind behind it. Researchers now know that Lazarus Group was the driving force behind these destructive attacks.

Late 2014: Sony Pictures Hacked

On November 24, 2014, Lazarus Group's attacks reached a climax. On that day, a post appeared on Reddit claiming that Sony Pictures had been hacked by unknown means, with the attackers calling themselves "Guardians of Peace." A large amount of data was stolen and gradually leaked over the following days. A person claiming to be a member of the organization stated in an interview that they had been stealing data from Sony for over a year.

The hackers gained access to unreleased films, some movie scripts, future film plans, salary information of company executives, emails, and personal information of about 4,000 employees.

Early 2016 Investigation: "Operation Bombshell"

Codenamed "Operation Bombshell," an alliance of several security companies led by Novetta analyzed malware samples found in various cybersecurity incidents. Using this data, the team analyzed the hackers' methods. They linked Lazarus Group to multiple attacks through code reuse patterns. For example, they used a little-known encryption algorithm on the internet—the "Karacase" algorithm.

2016 Bank Cyber Heist

In February 2016, a bank heist occurred. Security hackers issued 35 fraudulent instructions via the SWIFT network, attempting to illegally transfer nearly $1 billion from a country's central bank account at the New York Federal Reserve Bank. Of the 35 fraudulent instructions, 5 successfully transferred $101 million, with $20 million going to Sri Lanka and $81 million to the Philippines. The New York Federal Reserve Bank became suspicious due to a spelling error in one instruction, blocking the remaining 30 transactions, which involved $850 million. Cybersecurity experts attributed the attack to Lazarus Group from a certain country.

May 2017 "WannaCry" Ransomware Attack

The "WannaCry" attack was a large-scale ransomware cyberattack that affected numerous institutions worldwide, from the UK's National Health Service (NHS) to Boeing and even some universities in China, on May 12, 2017. The attack lasted 7 hours and 19 minutes. Europol estimated that the attack affected nearly 200,000 computers in 150 countries, with the most impacted regions being Russia, India, Ukraine, and Taiwan. This was one of the earliest examples of a cryptoworm attack. Cryptoworms are a type of malware that can spread between computers over a network without requiring direct user action to infect—this attack exploited TCP port 445. Computers infected with the virus did not need to click on malicious links; the malware could spread automatically from one computer to connected printers and then to other computers connected to the same wireless network. The vulnerability in port 445 allowed the malware to spread freely within internal networks, quickly infecting thousands of computers. The "WannaCry" attack was one of the first large-scale uses of a cryptoworm.

Attack Method: The virus exploited a vulnerability in the Windows operating system, then encrypted computer data, demanding about $300 worth of Bitcoin for the decryption key. To encourage victims to pay, the ransom doubled after three days, and if not paid within a week, the malware would delete the encrypted data files. The malware used a legitimate software developed by Microsoft called "Windows Crypto" to encrypt files. Once encrypted, the file names were appended with the "Wincry" suffix, which is the origin of the name "WannaCry." "Wincry" is the basis for the encryption, but the malware also exploited two other vulnerabilities, "EternalBlue" and "DoublePulsar," making it a cryptoworm. "EternalBlue" allowed the virus to spread automatically over the network, while "DoublePulsar" triggered the virus to activate on the victim's computer. In other words, "EternalBlue" spread the infected link to your computer, while "DoublePulsar" clicked it for you.

Security researcher Marcus Hutchins received a sample of the virus from a friend at a security research company and discovered that the virus had a hardcoded "kill switch," which halted the attack. The malware regularly checked whether a specific domain name was registered, and it would only continue encrypting if that domain did not exist. Hutchins discovered this check mechanism and registered the relevant domain at 3:03 PM UTC. The malware immediately stopped spreading and infecting new devices. This situation is intriguing and provided clues for tracking the virus creators. Typically, stopping malware requires months of back-and-forth between hackers and security experts, so winning so easily was unexpected. Another unusual aspect of this attack was that even after paying the ransom, files could not be recovered: the hackers only received $160,000 in ransom, leading many to believe their motive was not financial gain.

The ease with which the "kill switch" was bypassed and the meager ransom profits led many to believe that this attack was state-sponsored; its motive was not economic compensation but rather to create chaos. After the attack, security experts traced the "DoublePulsar" vulnerability back to the U.S. National Security Agency, which had initially developed it as a cyber weapon. Later, the hacker group "Shadow Brokers" stole this vulnerability, initially attempting to auction it off but failing, ultimately releasing it for free. The NSA subsequently informed Microsoft of the vulnerability, and Microsoft released an update on March 14, 2017, less than a month before the attack occurred. However, this was not enough; since the update was not mandatory, by May 12, most computers with the vulnerability had not been patched, leading to the astonishing damage caused by this attack.

Aftermath: The U.S. Department of Justice and British authorities later determined that the "WannaCry" attack was carried out by the North Korean hacker group Lazarus Group.

2017 Cryptocurrency Attack Incidents

In 2018, Recorded Future released a report linking Lazarus Group to attacks against cryptocurrency users of Bitcoin and Monero, primarily targeting South Korean users. Reports indicated that these attacks were technically similar to previous attacks using "WannaCry" ransomware and the attack on Sony Pictures. One of the methods used by Lazarus Group hackers was exploiting vulnerabilities in the Korean word processing software Hangul (developed by Hancom). Another method involved sending spear-phishing bait containing malware, targeting South Korean students and users of cryptocurrency trading platforms like Coinlink.

If users opened the malware, their email addresses and passwords would be stolen. Coinlink denied that its website or users' email addresses and passwords had been hacked. The report concluded: "This series of attacks at the end of 2017 indicates that a certain country has an increasing interest in cryptocurrency, which we now know encompasses a wide range of activities including mining, ransomware attacks, and direct theft…" The report also noted that the country used these cryptocurrency attacks to evade international financial sanctions.

In February 2017, hackers from a certain country stole $7 million from South Korean cryptocurrency exchange Bithumb. Another South Korean Bitcoin exchange, Youbit, suffered an attack in April 2017 and had to file for bankruptcy in December of the same year after losing 17% of its assets. Lazarus Group and hackers from a certain country were identified as the masterminds behind these attacks. In December 2017, the cryptocurrency cloud mining market Nicehash lost over 4,500 Bitcoins. An investigation update indicated that this attack was related to Lazarus Group.

September 2019 Attack Incident

In mid-September 2019, the U.S. issued a public alert about a new type of malware called "ElectricFish." Since early 2019, agents from a certain country had carried out five significant cyber thefts globally, including successfully stealing $49 million from a Kuwaiti institution.

Late 2020 Pharmaceutical Company Attack Incident

Due to the ongoing COVID-19 pandemic, pharmaceutical companies became a primary target for Lazarus Group. Members of Lazarus Group used spear-phishing techniques, posing as health officials, to send malicious links to pharmaceutical company employees. It is believed that several large pharmaceutical companies were targeted, but only AstraZeneca, a joint venture between the UK and Sweden, has been confirmed. According to Reuters, numerous employees were targeted, many of whom were involved in the development of COVID-19 vaccines. It remains unclear what Lazarus Group's motives were for these attacks, but they may include stealing sensitive information for profit, implementing extortion schemes, and enabling foreign regimes to obtain proprietary research related to the coronavirus. AstraZeneca has not commented on the incident, and experts believe that no sensitive data has been leaked so far.

January 2021 Attack Incident Targeting Cybersecurity Researchers

In January 2021, both Google and Microsoft publicly reported that a group of hackers from a certain country had launched attacks against cybersecurity researchers using social engineering tactics, with Microsoft explicitly stating that the attack was carried out by Lazarus Group.

The hackers created multiple profiles on platforms like Twitter, GitHub, and LinkedIn, posing as legitimate software vulnerability researchers, interacting with posts and content published by others in the security research community. They would then directly contact specific security researchers, luring victims into downloading files containing malware or visiting blog posts on websites controlled by the hackers under the pretense of collaboration.

Some victims who visited the blog posts reported that their computers were compromised even though they were using fully patched Google Chrome browsers, indicating that the hackers may have exploited previously unknown Chrome zero-day vulnerabilities; however, Google stated at the time of the report that it could not determine the specific method of intrusion.

March 2022 Axie Infinity Attack Incident

In March 2022, Lazarus Group was accused of stealing $620 million worth of cryptocurrency from the Ronin network used by the Axie Infinity game. The FBI stated: "Through investigation, we confirm that Lazarus Group and APT38 (cyber actors associated with North Korea) are behind this theft."

June 2022 Horizon Bridge Attack Incident

The FBI confirmed that the North Korean malicious cyber actor organization Lazarus Group (also known as APT38) was behind the reported theft of $100 million in virtual currency from Harmony's Horizon Bridge on June 24, 2022.

Other Related Cryptocurrency Attack Incidents in 2023

A report released by blockchain security platform Immunefi stated that Lazarus Group was responsible for over $300 million in losses from cryptocurrency hacking incidents in 2023, accounting for 17.6% of the total losses that year.

June 2023 Atomic Wallet Attack Incident: In June 2023, users of Atomic Wallet services had over $100 million worth of cryptocurrency stolen, which the FBI subsequently confirmed.

September 2023 Stake.com Hacker Attack Incident: In September 2023, the FBI confirmed that $41 million worth of cryptocurrency was stolen from the online casino and betting platform Stake.com, with Lazarus Group being the perpetrators.

U.S. Sanctions

On April 14, 2022, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) added Lazarus Group to the Specially Designated Nationals List (SDN List) under certain country sanctions regulations.

2024 Cryptocurrency Attack Incident

According to Indian media reports, a local cryptocurrency exchange named WazirX was attacked by the organization, resulting in the theft of $234.9 million in cryptocurrency assets.

Personnel Training

It is rumored that some North Korean hackers are sent to Shenyang, China, for specialized training on how to implant various types of malware into computers, computer networks, and servers. Within North Korea, Kim Chaek University of Technology, Kim Il Sung University, and Mangyongdae Revolutionary School are responsible for related educational tasks, selecting the best students from across the country for a six-year special education program. In addition to university education, "some of the best programmers… are sent to Mangyongdae Revolutionary School or Mirim College for further studies."

Organizational Branches

Lazarus Group is believed to have two branches.

BlueNorOff

BlueNorOff (also known as APT38, "Star Chollima," "BeagleBoyz," "NICKEL GLADSTONE") is an organization driven by economic interests, engaging in illegal fund transfers through forged SWIFT instructions. Mandiant refers to it as APT38, while Crowdstrike calls it "Star Chollima."

According to a U.S. Army report from 2020, BlueNorOff has about 1,700 members who focus on long-term assessment and exploitation of enemy network vulnerabilities and systems, engaging in financial cybercrime activities to gain economic benefits or control related systems for the regime. Between 2014 and 2021, their targets included 16 institutions across at least 13 countries, including Bangladesh, Chile, India, Mexico, Pakistan, the Philippines, South Korea, Taiwan, Turkey, and Vietnam. It is believed that these illicit proceeds were used for the country's missile and nuclear technology development.

BlueNorOff's most notorious attack was the 2016 bank heist, where they attempted to illegally transfer nearly $1 billion from a country's central bank account at the New York Federal Reserve Bank via the SWIFT network. After some transactions were successfully completed ($20 million to Sri Lanka, $81 million to the Philippines), the New York Federal Reserve Bank became suspicious due to a spelling error in one instruction, blocking the remaining transactions.

Malware associated with BlueNorOff includes: "DarkComet," "Mimikatz," "Nestegg," "Macktruck," "WannaCry," "Whiteout," "Quickcafe," "Rawhide," "Smoothride," "TightVNC," "Sorrybrute," "Keylime," "Snapshot," "Mapmaker," "net.exe," "sysmon," "Bootwreck," "Cleantoad," "Closeshave," "Dyepack," "Hermes," "Twopence," "Electricfish," "Powerratankba," and "Powerspritz," among others.

Common tactics used by BlueNorOff include: phishing, setting up backdoors, exploiting vulnerabilities, watering hole attacks, executing code on systems using outdated and insecure versions of Apache Struts 2, strategically compromising websites, and accessing Linux servers. Reports indicate that they sometimes collaborate with criminal hackers.

AndAriel

AndAriel, also spelled Andarial, has other aliases: Silent Chollima, Dark Seoul, Rifle, and Wassonite, logically characterized by targeting South Korea. The alias "Silent Chollima" derives from the organization's secretive nature. Any institution in South Korea could be a target for AndAriel, including government departments, defense agencies, and various economically significant entities.

According to a U.S. Army report from 2020, the AndAriel organization has about 1,600 members whose mission is to conduct reconnaissance, assess network vulnerabilities, and map enemy networks for potential attacks. In addition to South Korea, they also target governments, infrastructure, and businesses in other countries. Attack methods include exploiting ActiveX controls, vulnerabilities in Korean software, watering hole attacks, spear-phishing (macro virus methods), targeting IT management products (such as antivirus software and project management software), and launching attacks through supply chains (installers and updates). The malware used includes Aryan, Gh0st RAT, Rifdoor, Phandoor, and Andarat.

Related Personnel Prosecution Status

In February 2021, the U.S. Department of Justice indicted three members of North Korea's military intelligence agency, the Reconnaissance General Bureau—Park Jin Hyok, Jon Chang Hyok, and Kim Il Park—accusing them of participating in multiple hacking activities of Lazarus Group. Park Jin Hyok had already been indicted in September 2018. These suspects are currently not in U.S. custody. Additionally, a Canadian and two Chinese individuals have also been accused of acting as fund transporters and money launderers for Lazarus Group.