GuShiio.com Bybit was stolen by hackers in chain assets worth approximately US$1.5 billion. Four hours after the incident, chain detective ZachXBT submitted conclusive evidence confirming that the attack against Bybit was carried out by the North Korean hacker organization Lazarus Group.
Source: Wikipedia
Compiled by: Yobo, Foresight News
The following content is translated from the main text of the Wikipedia entry “Lazarus Group”:
The Lazarus Group (also known as the “Guardians” or “Peace or Whois Team”) is an unknown number of hackers allegedly controlled by the North Korean government. Although there is limited understanding of the group, researchers have blamed them for multiple cyber attacks since 2010.
Originally a criminal gang, the organization has now been recognized as a high-level persistent threat organization because of its attack intent, threats it poses, and the multiple methods it uses in its operations. Cybersecurity agencies have given them a number of nicknames, such as “Hidden Cobra”(a term used by the U.S. Department of Homeland Security to refer to malicious cyber activities initiated by the North Korean government), and “ZINC” or “Diamond Sleet”(as Microsoft calls it). According to the country’s defector Kim Kuk-song, the group is known in North Korea as the “414 Liaison Office.”
Lazarus Group has close ties with North Korea. The U.S. Justice Department claimed the group was part of the North Korean government’s strategy to “undermine global cybersecurity… and obtain illegal income in violation of sanctions.” North Korea has many benefits from conducting cyber operations, and only needs to maintain a very small team can pose a “global” asymmetric threat (especially against South Korea).
development course
The organization’s earliest known attack was Operation Troy from 2009 to 2012. It was a cyber espionage campaign that used unsophisticated distributed denial of service attack (DDoS) technology to target the South Korean government in Seoul. They also launched attacks in 2011 and 2013. Although it is not certain, they may have been responsible for an attack on South Korea in 2007. One of the group’s famous attacks occurred in 2014 and targeted Sony Pictures. The attack used more sophisticated technology and also showed that the organization has become more mature over time.
According to reports, in 2015, Lazarus Group stole US$12 million from Bank Ostro in Ecuador and US$1 million from Pioneer Bank in Vietnam. They also targeted banks in Poland and Mexico. In a 2016 bank theft case, they attacked a bank and successfully stole $81 million. This case is also believed to be the work of the organization. In 2017, it was reported that Lazarus Group stole US$60 million from Taiwan’s Far East International Commercial Bank. However, the actual amount stolen was unclear, and most of the funds had been recovered.
It is unclear who the real mastermind behind the organization is, but media reports point out that the organization has close ties to North Korea. In 2017, Kaspersky Lab reported that Lazarus Group tended to focus on espionage and infiltration-type cyber attacks, while an internal affiliate called “Bluenoroff” by Kaspersky specializes in financial cyber attacks. Kaspersky found multiple attacks around the world and found a direct IP address connection between Bluenoroff and the country.
However, Kaspersky also admitted that the reuse of code may be a “false flag operation” aimed at misleading investigators and making North Korea take the blame. After all, the global “Want to Cry” worm attack copied the U.S. National Security Agency technology. This ransomware exploits the National Security Agency’s Eternal Blue vulnerability, which was made public by a hacking group called Shadow Brokers in April 2017. In 2017, Symantec reported that the “WannaCry” attack was most likely the work of the Lazarus Group.
Operation Troy 2009
Lazarus Group’s first major hacking incident occurred on July 4, 2009, marking the beginning of Operation Troy. The attack used MyDoomsday and Bulldozer malware to launch large-scale but unsophisticated DDoS attacks on U.S. and South Korean websites. The attack targeted about 36 websites and implanted the words “Independence Day” in the Master Boot Record (MBR).
2013 South Korean cyber attack (Operation 1/Operation Dark Seoul)
Over time, the organization’s attack methods have become more complex; their technologies and tools have become more mature and effective. The March 2011 “Ten Days Rain” attack targeted South Korea’s media, finance and critical infrastructure, using more sophisticated DDoS attacks that originated from compromised computers in South Korea. On March 20, 2013, Operation “Dark Seoul” was launched, a data-erase attack that targeted three South Korean broadcasters, financial institutions and an Internet service provider. At the time, two other organizations calling themselves the “New Rome Cyber Corps” and the “WhoIs Team” claimed responsibility for the attack, but the researchers did not know at the time that the mastermind was the Lazarus Group. Today, researchers know that Lazarus Group is the leader of these disruptive attacks.
Late 2014: Sony Pictures was invaded
On November 24, 2014, the Lazarus Group attack reached its climax. On the same day, a post appeared on Reddit saying that Sony Pictures had been hacked by unknown means and that the attacker called himself a “Peace Guardian.” A large amount of data was stolen and gradually leaked in the days after the attack. One person who claimed to be a member of the group said in an interview that they had been stealing Sony data for more than a year.
Hackers were able to access unreleased movies, some movie scripts, future movie plans, company executive salary information, emails, and personal information of approximately 4000 employees.
Investigation in early 2016:”Operation Bomb”
Codenamed “Operation Bomb”, several security companies led by Novetta formed an alliance to analyze malware samples found in different cybersecurity incidents. Using this data, the team analyzed the hackers ‘modus operandi. They linked Lazarus Group to multiple attacks through a code reuse model. For example, they used an encryption algorithm little known on the Internet-the “Caracas” cryptographic algorithm.
2016 bank cyber theft case
A bank theft occurred in February 2016. Security hackers issued 35 fraudulent orders via the Society for Worldwide Banking and Financial Telecommunications (SWIFT) network in an attempt to illegally transfer nearly $1 billion from a country’s central bank account at the Federal Reserve Bank of New York. Five of the 35 fraudulent instructions successfully transferred US$101 million, of which US$20 million went to Sri Lanka and US$81 million went to the Philippines. The Federal Reserve Bank of New York blocked the remaining 30 transactions, involving $850 million, after being suspicious of a misspelling of an order. Cybersecurity experts said the mastermind behind the attack was Lazarus Group from a certain country.
May 2017 “WannaCry” ransomware attack
The “WannaCry” attack was a large-scale ransomware cyber attack. On May 12, 2017, many institutions around the world were affected, ranging from the British National Medical Service (NHS), to Boeing, and even some universities in China. The attack lasted 7 hours and 19 minutes. Europol estimates that the attack affected nearly 200,000 computers in 150 countries, with the main affected areas including Russia, India, Ukraine and Taiwan. This was one of the earliest cryptographic worm attacks. Cryptographic worms are a type of malware that can spread between computers over the network and infect without direct user action-in this attack, it used TCP port 445. Computers infect the virus without clicking on malicious links. Malware can automatically spread from one computer to connected printers, and then to other nearby computers connected to wireless networks. A vulnerability on port 445 allows malware to spread freely across internal networks, quickly infecting thousands of computers. The “WannaCry” attack is one of the first large-scale attacks to use cryptographic worms.
How to attack: The virus exploits a vulnerability in the Windows operating system, then encrypts computer data, requiring approximately $300 worth of Bitcoin to obtain the decryption key. To induce victims to pay, the ransom doubles after three days, and if payment is not paid within a week, the malware deletes the encrypted data files. The malware used a legitimate software called “Windows Crypto” developed by Microsoft to encrypt files. After encryption is completed, the file name will be suffix “Wincry”, which is the origin of the name “WannaCry”. “Wincry” is the basis of encryption, but the malware also exploits two other vulnerabilities,”Eternal Blue” and “Double Pulsar,” making it an encryption worm. “Eternal Blue” can automatically spread the virus through the Internet, while “Double Pulsar” triggers the virus to activate on the victim’s computer. In other words, Eternal Blue spread the infected link to your computer, and Double Pulsar clicked on it for you.
Security researcher Marcus Hutchins received a sample of the virus from a friend at a security research company and discovered that an “anti-virus switch” was hard-coded in the virus, thus terminating the attack. The malware regularly checks whether a specific domain name is registered and continues encryption only if the domain name does not exist. Hutchins discovered the checking mechanism and then registered the relevant domain name at 3:03 pm UTC. The malware immediately stopped spreading and infected new devices. This situation is very interesting and provides clues for tracking down the virus maker. Normally, stopping malware requires months of repeated battles between hackers and security experts, and it was unexpected to win so easily. Another unusual feature of the attack was that documents could not be recovered even after ransom was paid: the hackers received only $160,000 in ransom, which led many people to believe that their purpose was not money.
The ease with which the “anti-virus switch” was cracked and the meagre ransom proceeds led many to believe that the attack was state-backed; the motive was not financial compensation, but to create chaos. After the attack, security experts traced the “Double Pulsar” vulnerability to the National Security Agency, which was originally developed as a cyber weapon. Later, the “Shadow Broker” hacking group stole the loophole. It first tried to auction it, but failed, and finally made it public for free. The National Security Agency subsequently informed Microsoft of the vulnerability information, and Microsoft released an update on March 14, 2017, less than a month after the attack occurred. But that was not enough. Since the update was not mandatory, as of May 12, most of the computers with the vulnerability had not been repaired, causing the attack to cause astonishing damage.
Subsequent impact: The U.S. Department of Justice and British authorities later determined that the WannaCry attack was the work of the North Korean hacking group Lazarus Group.
2017 cryptocurrency attacks
In 2018, Recorded Future released a report alleging that Lazarus Group was involved in attacks against users of the cryptocurrencies Bitcoin and Monero, mainly targeting Korean users. According to reports, these attacks are technically similar to previous attacks using “Want to Cry” ransomware and attacks on Sony Pictures. One of the methods used by Lazarus Group hackers was to exploit vulnerabilities in South Korean word processing software Hangul (developed by Hancom). Another tactic is to send harpoon phishing bait containing malware, targeting South Korean students and users of cryptocurrency trading platforms such as Coinlink.
If a user opens the malware, their email address and password are stolen. Coinlink denies that its website or users ’email addresses and passwords were hacked. The report concluded: “This series of attacks in late 2017 demonstrated that a country’s interest in cryptocurrencies has increased, and we now know that this interest covers a wide range of activities including mining, ransomware attacks and direct theft…” The report also pointed out that a country used these cryptocurrency attacks to circumvent international financial sanctions.
In February 2017, hackers in a certain country stole US$7 million from South Korean cryptocurrency trading platform Bithumb. Youbit, another South Korean bitcoin trading company, suffered an attack in April 2017 and had to file for bankruptcy in December of the same year because 17% of its assets were stolen. Lazarus Group and hackers from a certain country have been accused of being behind these attacks. In December 2017, Nicehash, the cryptocurrency cloud mining market, lost more than 4500 bitcoins. An investigation update revealed that the attack was linked to the Lazarus Group.
September 2019 attacks
In mid-September 2019, the United States issued a public alert saying that a new type of malware called “ElectricFish” had been discovered. Since the beginning of 2019, agents of a country have carried out five major cyber thefts around the world, including the successful theft of US$49 million from a Kuwait facility.
Pharmaceutical company attacks in late 2020
As the COVID-19 epidemic continues to spread, pharmaceutical companies have become the main targets of Lazarus Group. Lazarus Group members use harpoon phishing technology to disguise themselves as health officials and send malicious links to pharmaceutical company employees. It is believed that many large pharmaceutical companies have been targeted, but only AstraZeneca, a joint venture between Britain and Sweden, has been identified so far. According to Reuters, many employees were targeted, many of whom were involved in the research and development of the COVID-19 vaccine. It is unclear what purpose Lazarus Group launched these attacks, but could include stealing sensitive information for profit, carrying out extortion schemes, and allowing foreign regimes to obtain proprietary research related to the new coronavirus. AstraZeneca has not commented on the incident, and experts believe that no sensitive data has been leaked.
January 2021 attacks on cybersecurity researchers
In January 2021, both Google and Microsoft publicly reported that a group of hackers from a certain country had launched an attack on network security researchers through social engineering methods. Microsoft clearly pointed out that the attack was carried out by the Lazarus Group.
Hackers created multiple user profiles on platforms such as Twitter, GitHub and LinkedIn, disguised as legitimate software vulnerability researchers, and interacted with posts and content posted by others in the security research community. They would then contact specific security researchers directly to lure victims into downloading files containing malware or accessing blog posts on websites controlled by hackers, citing collaborative research.
Some victims who visited the blog post said that although they were using a fully patched Google Chrome browser, their computers were hacked, indicating that hackers may have used a previously unknown Chrome zero-day vulnerability to attack; however, Google said at the time of the report’s release that it could not determine the specific intrusion method.
March 2022 Axie Infinity attack
In March 2022, Lazarus Group was accused of stealing $620 million worth of cryptocurrency from the Ronin network used by Axie Infinity games. “Through our investigation, we have determined that Lazarus Group and APT38, a cyber actor associated with North Korea, were behind the theft,” the FBI said.
June 2022 Horizon Bridge attack
The FBI has confirmed that the Lazarus Group, also known as APT38, a North Korean malicious cyber actor group, was behind the reported theft of $100 million in virtual currency from Harmony’s Horizon Bridge on June 24, 2022.
Other related cryptocurrency attacks in 2023
A report released by blockchain security platform Immunefi stated that Lazarus Group caused losses of more than US$300 million in cryptocurrency hacking incidents in 2023, accounting for 17.6% of the total losses that year.
Atomic Wallet attack in June 2023: In June 2023, users of the Atomic Wallet service were stolen worth more than $100 million in cryptocurrency, which was subsequently confirmed by the FBI.
September 2023 Stake.com hack: In September 2023, the FBI confirmed that $41 million worth of cryptocurrency from online casinos and gaming platform Stake.com was stolen by the Lazarus Group.
us sanctions
On April 14, 2022, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) included Lazarus Group on the Specially Designated Nationals List (SDN List) in accordance with Section 510.214 of the National Sanctions Regulations.
2024 cryptocurrency attacks
According to Indian media reports, a local cryptocurrency exchange called WazirX was attacked by the organization and $234.9 million worth of cryptocurrency assets were stolen.
personnel training
It is rumored that some North Korean hackers will be sent to Shenyang, China for professional training on how to implant various types of malware into computers, computer networks and servers. Within North Korea, Kim Tsak Industrial University, Kim Il Sung University and Mangyongtai University undertake relevant educational tasks. These universities select the best students from across the country and allow them to receive six-year special education. In addition to college education,”some of the best programmers… will be sent to Wanjingtai University or Mirim College for further study.”
organization branch
The Lazarus Group is believed to have two branches.
BlueNorOff
BlueNorOff (also known as APT38,”Star Horse”,”BeagleBoyz”,”NICKEL GLADSTONE”) is an economically motivated organization that conducts illegal money transfers through counterfeiting of Society for Worldwide Banking and Financial Telecommunications (SWIFT) instructions. Mandiant called it the APT38, while Crowdstrike called it the “Star Horse.”
According to a 2020 U.S. Army report, BlueNorOff has approximately 1700 members who focus on long-term assessment and exploitation of enemy cyber vulnerabilities and systems to engage in financial cybercriminal activities, gain economic benefits for the country’s regime or control related systems. Between 2014 and 2021, their goals include 16 institutions in at least 13 countries, including Bangladesh, Chile, India, Mexico, Pakistan, the Philippines, South Korea, Taiwan, Turkey and Vietnam. It is believed that the illicit proceeds were used in the country’s missile and nuclear technology development.
BlueNorOff’s most notorious attack was a bank theft in 2016 in which they attempted to illegally transfer nearly $1 billion from a country’s central bank account at the Federal Reserve Bank of New York through the SWIFT network. After some transactions were successfully completed (US$20 million to Sri Lanka and US$81 million to the Philippines), the Federal Reserve Bank of New York became suspicious after a misspelling of an order and blocked the remaining transactions.
Malware related to BlueNorOff includes: “DarkComet”,”Mimikatz”,”Nestegg”,”Macktruck”,”Want to Cry”,”Whiteout”,”Quickcafe”,”Smoothride”,”TightVNC”,”Sorrybrute”,”Keylime”,”Snapshot”,”Mapmaker”,”net.exe”,”sysmon”,”twBooreck”,”Cleantoad”,”Closepack”,”Hermes”,”Twopence”,”Electricfish”,”Powerratankba” and “Powerspritz”.
Commonly used methods by BlueNorOff include phishing, backdoors, exploit vulnerabilities, puddle attacks, use of outdated and insecure versions of Apache Struts 2 to execute code on the system, strategically invade websites, and access Linux servers. There are reports that they sometimes cooperate with criminal hackers.
AndAriel
AndAriel, also spelled Andarian, and also nicknamed: Silent Chollima, Dark Seoul, Rifle and Wassonite, is logically characterized by targeting South Korea. Andril’s nickname “Silent Thousand Horse” stems from the secretive nature of the organization.[70] Any institution in South Korea could be attacked by Andriel, targeting government departments, defense agencies and various economic landmark entities.
According to a 2020 U.S. Army report, the Andril organization has approximately 1600 members whose mission is to conduct reconnaissance, assess network vulnerabilities, and map enemy networks to carry out potential attacks. In addition to South Korea, they have also targeted governments, infrastructure and businesses in other countries. Attack methods include: using ActiveX controls, Korean software vulnerabilities, puddle attacks, spear-phishing (macro virus methods), attacks against IT management products (such as antivirus software, project management software), and attacks through the supply chain (installers and updates). The malware used include: Aryan, Gh0st RAT, Rifdoor, Phandoor and Andarat.
Prosecution of relevant personnel
In February 2021, the U.S. Department of Justice indicted three members of North Korea’s military intelligence agency, Park Jin Hyok, Jon Chang Hyok and Kim Il Park, accusing them of participating in multiple hacking activities by the Lazarus Group. Park Jin-hyuk was charged as early as September 2018. None of these suspects are currently in custody in the United States. In addition, a Canadian and two China people have also been charged with acting as money transforcers and money launderers for the Lazarus Group.
