Security Market Segment LS
Wednesday, 31 May 2017 11:53

Russian firm claims N. Korea linked to Lazarus Group Featured

By

A Russian cyber security firm claims it has found evidence that links the Lazarus Group to North Korea.

This group has been alleged, by two other companies, Symantec and Kaspersky Lab, to be behind the recent WannaCry ransomware attack.

The Lazarus Group has been said to be responsible for stealing from a Bangladesh bank, attacking Sony Pictures Entertainment, and also for an attack on South Korea's online industry in 2013.

The Russian company, Group-IB, said in a detailed report that it had analysed multiple layers of the two command and control infrastructure used by the Lazarus Group.

One of the C&C servers had the IP address 210.52.109.22 which belonged to the Chinese company China Netcom. The second, which Group-IB, said provided definite proof of links to Pyongyang was 175.45.178.222 which it claimed was an IP allocated to a North Korean Internet service provider.

"The Whois service indicates that this address is allocated to the Potonggang District, perhaps coincidentally, where (North Korea's) National Defence Commission is located — the highest military body in North Korea," Group-IB said.

It said it had also come across a 2016 report on the South Korean TV channel Arirang News in which, during a clip about an attack on two Seoul corporations, two IPs in the same range were listed on screen: 175.45.178.19 and 175.45.178.97.

"South Korea's National Police Agency reportedly identified that the cyber attack had been performed from the unfinished North Korean Ryugyong hotel. Group-IB could not confirm this location attribution," it said.

Group-IB said the Lazarus Group had tried to masquerade as being of Russian origin by including debugging symbols and strings containing Russian words in commands issued by malware that it propagated.

However, it said, these words were quite often wrongly used and would not have been employed as such had the writer of the malware been a native Russian speaker.

Additionally, Group-IB said, the Lazarus Group used Enigma Protector to guard the executables they created; Enigma was professional software created by a Russian.

And finally, Lazarus was said to have borrowed exploits for Flash and Silverlight from those created by Russian hackers.

"To mask malicious activity, the hackers used a three-layer architecture of compromised servers with SSL-encrypted channels established between them," Group-IB said summing up its findings.

"In addition to encrypted traffic, data sent through (the) SSL-channel was additionally encrypted. The attackers achieved anonymity by employing a legitimate VPN client - SoftEther VPN. In some cases, they also used corporate Web servers that were part of the attacked infrastructure."

Group-IB said the earliest indicator of attacks on financial institutions by the Lazarus group was in March 2016.

"This was directly after the Central Bank of Bangladesh incident, which took place in February 2016, where attackers attempted to steal US$1 billion.

"Only a spelling mistake in an online bank transfer instruction helped prevent them from stealing more than US$81 million. Following this incident, the group modified its tactics and tools, adapting them to the changing environment and misleading researchers."

Other attack targets that Group-IB claimed to have identified included universities in the US, Canada, the UK, India, Bulgaria, Poland, Turkey, pharmaceutical companies in Japan and China, and government subnets in various countries.

Read 3767 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here
BACK TO LATEST NEWS here




ELASTICON SYDNEY 2024 LATEST ADVANCEMENTS IN GENERATIVE AI

On 20 February, keynote addresses from NAB, Canva, AWS, and Google Cloud, among others, will feature at ElasticON Sydney 2024.

This event will explore the latest advancements in generative AI

The one-day conference, hosted by leading search analytics company Elastic, will include networking drinks, hands-on labs, technical sessions and a stellar line-up of keynote speakers from finance, technology, and government e=sectors.

ElasticON Sydney 2024 promises to be an enriching experience with a comprehensive exploration of the latest developments in security, observability, generative AI and their real world applications

Don't miss out on this opportunity to network and find answers for what's next from your industry peers and leaders


Register for ElasticON Sydney 2024

REGISTER HERE!

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!

BACK TO HOME PAGE
Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous

Subscribe to Newsletter

*  Enter the security code shown:

WEBINARS & EVENTS

CYBERSECURITY

PEOPLE MOVES

GUEST ARTICLES

Guest Opinion

ITWIRETV & INTERVIEWS

RESEARCH & CASE STUDIES

Channel News

Comments