[BreachExchange] North Korea's Lazarus Group Expands to Stealing Defense Secrets

[Destry Winant]

https://www.darkreading.com/threat-intelligence/north-koreas-lazarus-group-expands-to-stealing-defense-secrets/d/d-id/1340259

Several gigabytes of sensitive data stolen from one restricted
network, with organizations in more than 12 countries impacted,
Kaspersky says.

The Lazarus Group, North Korea's advanced persistent threat (APT)
actor, appears to have broadened its primary mission of stealing money
for the cash-starved regime via cyberattacks to stealing defense
secrets.

Researchers at Kaspersky say last year the group was able to
successfully transfer several gigabytes worth of sensitive information
from a restricted network belonging to an organization in the defense
sector. Kaspersky discovered the breach when it was called in to
assist with incident response following a security incident at the
organization.

One especially troubling aspect of the attack was the manner in which
Lazarus operators overcame network segmentation at the organization to
access a completely isolated segment of its network and exfiltrate
data.

"We do not know what specific information was stolen since the
evidence related to this was not transferred to us," says Vyacheslav
Kopeytsev, senior security researcher at Kaspersky. "Based on the
profile of the organization, it can be assumed that the attackers were
interested in data on the production of weapons or military
equipment."

The Lazarus Group is arguably one of the most active — and notorious —
APT groups in operation. Researchers have tied the group to numerous
high-profile and highly destructive attacks, including the one on Sony
in 2014, the WannaCry ransomware outbreak in 2017, the theft of over
$80 million from Bangladesh Bank in 2017, and attacks on several
cryptocurrency operations. Though the group has been associated with
several cyber espionage and hacktivist campaigns, security researchers
believe one of its main missions is to use cyberattacks to steal money
for North Korea's nuclear and ballistic missile programs.

According to Kaspersky, starting sometime in early 2020, the group
appears to have expanded its mission to gathering defense secrets.
It's primary weapon in the campaign is a backdoor called
"ThreatNeedle," which the group uses to move laterally on compromised
networks. So far, defense-sector organizations in more than one dozen
countries have been impacted.

Kopeytsev says Kaspersky can't say for sure whether US organizations
have been caught up in the campaign. Kaspersky's analysis of
connections to a malware command-and-control server used in the
operation shows connections from the United States. While those
connections could be from victim organizations, they could as equally
be from other security researchers who are investigating the same
campaign, he says.

Like most modern threat campaigns, the Lazarus Group's attacks on the
defense sector have involved the use of well-themed and well-scripted
spear-phishing emails. In the attack that Kaspersky investigated, the
emails were sent to individuals at various departments within the
organization. The very realistic-looking emails purported to contain
COVID-19 updates from the deputy head doctor of a medical center that
is part of the organization. The emails contained a Word document with
a macro that, when enabled, downloaded and executed other malware
leading to the installation of ThreatNeedle, Kaspersky says.

COVID-19 was only one of several phishing lures that the group used in
its bid to gain an initial foothold on the target network. Other lures
including documents appearing to be from major defense contractors.

In early June 2020, an employee at the targeted organization opened
one of the malicious attachments, allowing Lazarus Group members to
gain remote control of the infected host and install ThreatNeedle on
it. Kaspersky described the backdoor as part of a broader malware
family called Manuscrypt that the Lazarus Group has used in numerous
attacks on cryptocurrency operators and against a mobile game
provider. The group uses the malware to conduct initial reconnaissance
on an infected network and to collect credentials and move laterally
by installing additional malware on it.

Bridging the Air Gap
Kaspersky's investigation shows that attackers used their access on
the corporate network to gain access to a completely restricted
segment that had no direct Internet access. To do that, the adversary
used stolen credentials to get into administrator workstations with
access to both environments. They also obtained credentials to a
virtual router that admins used to connect to systems in both
environments. The attackers configured the router to host and deploy
additional malware on the OT network and abused a web interface on it
to exfiltrate data from the restricted network.

Kopeytsev says the campaign poses a threat to organizations in the US
defense sector.

"In my opinion, the risk is high. Attacks are carefully prepared and
aimed at stealing confidential data from defense contractors," he
says. "In the case of a successful attack, this may have big
consequences."