Cyber threat researchers have examined security incidents over the past several years that appear to connect North Korea's Lazarus Group with Russian speaking attackers. A recent analysis has examined reports from years of security incidents to pinpoint links between Lazarus Group, historically tied to North Korea, and Russian-speaking cybercriminals.
In a summary of his findings, Mark Arena, CEO of security firm Intel 471, holds two generally accepted assumptions: that Lazarus Group is tied to North Korea, and that TrickBot, TA505, and Dridex are connected to Russian-speaking cybercriminals. During the analysis, Arena explored public and open sources from security researchers who published information on threat activity.
The report concludes North Korean attackers are likely active in the cybercriminal underground and maintain relationships with high-level Russian-speaking cybercriminals. Further, malware believed to be used by, and likely written by, North Korean attackers were "very likely" distributed using network accesses held by Russian-speaking cybercriminals.
"[There's] the link between TrickBot and the operators behind TrickBot pretty clearly selling accesses to financial institutions to the North Koreans," says Arena. "And the fact that getting access to the TrickBot operators – figuring out who they are and who you contact for that – you have to be pretty vetted from a cybercriminal perspective."
TrickBot is a malware distribution framework not advertised on any open or invite-only criminal forum or marketplace. It is only accessible to top-tier criminals with a proven reputation gained through involvement with buying and selling products and services in the criminal underground. The ability of North Korean attackers to communicate with TrickBot's operators and customers would mean they are considered top-tier cybercriminals themselves.
Dr. Greg Rattray, partner and founder for Next Peak LLC, and former NSC director for cybersecurity at the White House, agrees. Rattray calls Lazarus Group the "quintessential scary, emerging strategic actor." While who they are is a little indeterminate, "they are a group with real capability" and nation-state grade tools, which they will use to achieve any number of goals.
"Any organized group uses the least necessary tools," says Rattray, who has previously run the red team and offensive operations. Lazarus Group is capable of using the tools necessary to achieve any number of goals aligning with what the North Korean regime wants, he adds. TrickBot is one of them. SentinelOne researchers spotted Lazarus Group using TrickBot to deploy its own malware samples onto the network of a business targeted with the Anchor attack toolset.
TrickBot infections normally begin with successful phishing campaigns. This attack-type makes cyber threat training/testing/awareness programs important for all employees. Based on findings from SentinelOne and several other research teams, Intel 471 assesses a likely link between TrickBot operators and North Korean attackers. TrickBot seems to be a source of compromised access that North Korean actors can use, and the people controlling it seems well-versed in identifying compromised organizations for follow-up attack activity, whether it is through Anchor or other intrusion tools like Metasploit, Cobalt Strike, or Empire.
The TrickBot link was the strongest discovered between North Korean attackers and Russian-speaking cybercriminals. Arena estimates this activity has been ongoing for over a year, though despite the length of time, it is unclear whether the Russian speaking actors know they are selling to North Korean attackers, who he says are also speaking in Russian.
Intel 471 also explored potential connections between North Korean attackers and TA505, as well as links to Dridex. They concluded while TA505 may have historically worked with North Korean attackers on occasion, it does not seem to have happened recently. No link was found between North Korea and Dridex.
So how do North Korea and Russian-speaking attackers benefit from such a collaboration? As always, follow the money. Arena starts with Russia, "What they gain out of it is their access to a team or group of people [who] are specialized in hacking banks and stealing huge amounts of money," he explains.
If Russian speaking attackers sell access to a financial institution, for example, there could be a monetary incentive if the intrusion is successful. The North Korean actors who steal the funds may be required to pay a percentage to the Russians if they are successful in stealing large sums of money.
For North Korea, the benefit is a source of access to financial institutions. While they likely have the capability to social engineer their way into a bank, the process is time-consuming. "If they're able to leverage accesses in the underground from other criminals, that's just something they don't have to do themselves," Arena adds.
From a cybercrime perspective, Russia is "leaps and bounds" ahead of other regions, which makes it an appealing collaborator. While some Russian speaking actors are motivated by espionage, the groups, in this case, are purely motivated by financial gain - a goal that aligns them with North Korean attackers. Their primary focus is on organizations with lower levels of security, for example, Rattray points to the attack on the Bank of Bangladesh, conducted by APT 38, an attack group that emerged as its own entity from the Lazarus Group. The rise of APT 38 coincided with international economic sanctions against North Korea and resulting in economic pressures.
This was one of a large number of attacks against weak nodes in the payment system. Attackers did not get inside the SWIFT organization but inside the people who use SWIFT to transfer major sums. "That's a transformational type of risk," he adds. "If we can't be confident that endpoints in the SWIFT system are not going to be corrupted and move tens, if not hundreds, of millions of dollars in fraudulent transactions, people start to get worried."
Getting inside the Bank of Bangladesh and living in there long enough to figure out how to push a fraudulent payment, is something an intelligence agency might do, Rattray points out. While he does not track specific attack groups, he says there is collaboration with Russian-speaking actors would be a "logical evolution" for the group. "Lazarus Group has and will continue to use the tools and techniques necessary for the mission," he says. "They operate like an intelligence service." The group has proved itself highly capable, and willing, to do the highest end of bad things, and their agility in doing so is an asset.
Red Sky Alliance has been analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.
The installation, updating, and monitoring of firewalls, cybersecurity, and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org.
Red Sky Alliance can help protect against attacks such as these. We provide both internal monitoring in tandem with RedXray notifications on ‘external’ threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.
Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or email@example.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941