Group-IB, Russian cyber security forensics company, claims to have definitively linked the Lazarus hacking group with North Korea - even going as far as pinpointing its operations in the capital, Pyongyang.
The claims were made by the company in a new report that links a series of cyber attacks, from military espionage in South Korea to the $81m Bangladesh Bank cyber theft, to Lazarus - and, hence, to North Korea.
Group-IB has traced the group to the Potonggang district of Pyongyang and the unfinished 105-storey Ryugyong Hotel, both facilities where foreigners are barred. Ultimately, it claims, Lazarus is controlled out of the Bureau 121 government agency, a division of the Reconnaissance General Bureau, a North Korean intelligence agency.
Bureau 121 is responsible for conducting military cyber campaigns, claims Group-IB.
"Lazarus is known to have specialized in DDoS attacks and corporate breaches targeting government, military, and aerospace institutions worldwide. Now that global economic pressure on North Korea has increased, Lazarus has shifted their focus to international financial organizations to conduct money thefts and espionage," claims the report.
An examination of four waves of cyber attacks attributed to Lazarus has firmed up the evidence linking the group to the North Korean government, suggests Group-IB.
These attacks include the ‘Troy' cyber espionage campaign against South Korea between 2009 and 2012, which included hacking websites and distributed denial of service (DDoS) attacks; the DarkSoul operation in March 2013 that targeted three broadcasters and a bank, all in South Korea; the attack on Sony pictures in 2014 in response to the release of the film ‘The Interview'; and, the attack on Bangladesh Bank last year, which could have resulted in $951m in fraudulent payments being made.
Earlier this year, too, several Polish bank was targeted in a similar way. Sanctions against North Korea in response have included the disconnection of the country's bank from SWIFT.
"Group-IB specialists have researched this group and now have evidence which identifies that North Korea is behind these attacks: We have detected and thoroughly analyzed multiple layers of command and control (C&C) infrastructure used by Lazarus and have identified North Korean IP addresses from which the attacks were ultimately controlled," claim Group-IB.
The group used a sophisticated, three-layer C&C infrastructure, with complex multi-stage deployment techniques just for the SWIFT attacks alone. The two IP addresses at the top of the C&C infrastructure were found to 18.104.22.168, assigned to China Netcom, but believed to have been assigned to North Korea at the time of the attacks.
The other, 22.214.171.124, "refers to a North Korean Internet service provider. The Whois service indicates that this address is allocated to the Potonggang District, perhaps coincidentally, where the National Defence Commission is located — the highest military body in North Korea".
Given the difficulty of acquiring North Korean IP addresses, especially ones that can be traced to the same buildings used by the National Defence Commission, Group-IB believes that the identity of Lazarus Group is pretty much solved.
However, other specialists have debunked the claims, suggesting that the amateurish nature of the WannaCry malware was out of character with Lazarus. A linguistic analysis of the ransom notes has, instead, pointed the finger at hackers based in China.
Using photocatalysts to convert carbon dioxide into usable energy such as methane or ethane
Trained on curated data from Moorfields Eye Hospital, the neural network also shows clinicians how it reached its judgement
Yokohama National University demonstrate technology that could lead to a fault-tolerant universal quantum computer
Top-of-the-range Threadripper 2990WX now available from Scan, Ebuyer, Overclockers, Novatech and Amazon