With their raids, the hackers of the Lazarus group bring in billions in the North Korean regime. Now they are trying a new field. And they are surprisingly clumsy.
For a long time, the idea was ridiculed: of all places, North Korea, where the Internet is only very few and then still severely restricted, should operate its own hacker group. But at least since the attack on Sony Pictures and the gigantic chaos as a result of the Wannacry attack, it was clear: The group named Lazarus is not to be trifled with. Now the hackers are to try a new field: Extortion actions on a large scale.
“Big Game Hunting” is what the cybersecurity scene calls the attempt to use extortion Trojans not to relieve small users of small amounts of money, but rather to snatch entire corporate or government systems under the nail with large-scale operations. And then to trigger them again for sums of millions. An example of such a hack is the recent attack on Garmin. Now the Kim Jong Uns hackers also seem to want to get involved.
Surprising trail to Korea
This is what the security experts at Kaspersky report in a blog post. During the investigation of two Trojan horse campaigns, a previously unknown blackmail software was discovered. According to the experts, this is remarkable: the otherwise usual suspects would almost always use established programs in the scene that were traded on the Dark Net, according to the post. In the event of an attack, teams that are independent of each other would then secure access to the system, check the data there and finally encrypt the relevant files. Different groups are also responsible for handing over the money and washing the ransom, and they pay each other off.
The attacks named “VHD” and “Hakuna MATA” went differently. A single actor attacked the network of an organization with a self-written program, after only ten hours already started to encrypt data. That is also unusual: the period of time is barely enough to assess the value of the information and thus the amount of the ransom, according to Kaspersky. Nor can it be said whether the hackers were able to sniff out the location of the backups in this short time. The fact that, despite the numerous mistakes, Lazarus is behind it, can be concluded from the use of a server that is exclusively controlled by this group.
Billions for Kim Jong Un
The Lazarus group, also known as the “Hidden Cobra”, otherwise earns its money with other types of cyber crime. According to a report by the FBI, the hackers, subordinate to the North Korean secret service RGB, wash billions of dollars into the regime’s coffers, some of which also finance the dictator’s missile program. They are held responsible for numerous attacks on crypto exchanges, but are also said to have successfully hacked and cleared classic banks. Spying on company secrets and destructive attacks such as on Sony Pictures are also part of the repertoire. In 2014 the film studio dared to make fun of Kim Jong Un in the comedy “The Interview”. As a result, the studio’s servers were deleted, and unpublished movies were put on the Internet.
The experts are now wondering why the hackers are trying new terrain. And make it unnecessarily difficult for yourself. Kaspersky experts are surprised that the Lazarus group has also used programs and services from other hackers in the past. “Perhaps they found the interactions in the cybercrime underworld difficult, perhaps they could no longer afford to share the profits,” they try to explain the decision.
What is certain, however, is that they are struggling with the new business area. “It is evident that the group’s quick-fix approach to extortion attacks cannot match the efficiency of other cybercriminals,” the Post explains. Whether Lazarus stays on the ball depends above all on whether the campaign was profitable in the end, the experts are certain. “We’ll see if in the end they actually get into big game hunting or write it off as a failed experiment.”