Lazarus has been operating since at least 2009, organizing large-scale cyber espionage campaigns.
Lazarus has been operating since at least 2009, organizing large-scale cyber espionage campaigns, operations using ransomware and even attacks on the cryptocurrency market. In recent years, the group has focused on attacks on financial institutions around the world. However, since the beginning of 2020, defense industry enterprises have also been targeted by attackers.
Kaspersky Lab was able to investigate the attack in more detail when one of the affected organizations asked for help. The company's experts discovered the ThreatNeedle backdoor on the network, previously seen in the Lazarus attacks on cryptocurrency companies.
The initial infection occurred through spear phishing: attackers sent emails with malicious Microsoft Word documents or links to such documents hosted on a remote server. The cybercriminals have relied on an urgent topic - the prevention and diagnosis of coronavirus infection. The letters were allegedly written on behalf of an employee of a medical center that is part of the attacked organization.
If the user opened a malicious document and allowed macros to run, the malware proceeded to a multi-stage deployment procedure. After installing ThreatNeedle, attackers gained almost complete control over the device.
One of the most interesting details of this campaign relates to how the attackers overcame the network segmentation. The network of the attacked enterprise was divided into two segments: corporate (a network whose computers have access to the Internet) and isolated (a network whose computers contain confidential data and do not have access to the Internet). At the same time, according to security policies, any transfer of information between these segments is prohibited, that is, they must be completely separated. However, in reality, administrators were able to connect to both segments to configure and provide technical support to users in both zones. Attackers managed to obtain credentials from a router used by administrators to connect to isolated and corporate networks. By changing its settings and installing additional software on it, they were able to turn it into hosting malware on the enterprise network. After that, the router was used to penetrate the isolated segment, output data from it and send it to the C&C server.
“Lazarus was arguably the most active cyber group in 2020 and it seems to remain so. In January 2021, the Google Threat Analysis Team reported that Lazarus is using the same backdoor to attack cybersecurity researchers. We believe we will see ThreatNeedle more than once in the future and will continue to monitor this backdoor”, commented Seongsu Park, senior expert at the GReAT team.“Lazarus is not only an overactive group, but also a very advanced one. The attackers not only overcame network segmentation, but also conducted extensive research to create personalized and effective phishing emails and customized tools to transfer stolen information to a remote server. Businesses need to take additional security measures to defend against these types of cyber espionage campaigns”, adds Vyacheslav Kopeytsev, senior expert at Kaspersky ICS CERT.