North Korean threat actor Lazarus group has resorted to supply chain attacks similar to SolarWinds and Kaseya to compromise the regime’s targets, according to cybersecurity firm Kaspersky.
Kaspersky’s Q3 2021 APT Trends report says that “Lazarus developed an infection chain that stemmed from legitimate South Korean security software deploying a malicious payload.”
The APT group compromised a South Korean think tank using two remote access trojan (RAT) variants BLINDINGCAN and COPPERHEDGE. The DHS Cybersecurity & Infrastructure Security Agency (CISA) had issued security alerts AR20-232A and AR20-133A over these trojans.
According to the researchers, Lazarus’ recent activity is part of a broader international campaign leveraging supply chain attacks.
Identified by US-CERT and the FBI as HIDDEN COBRA, the group was suspected to be responsible for the WannaCry ransomware and the Sony Picture Entertainment hacking that escalated tensions between the US and North Korea.
Experts believe that Lazarus is expanding its victim base beyond that of Asian government agencies and policy think tanks.
Kaspersky researchers discovered that the hacking group had targeted a Latvian tech firm developing asset monitoring solutions, an atypical victim for Lazarus.
During the attack, the North Korean APT deployed a compromised downloader “Racket” signed with a stolen digital certificate. The hacking group had stolen the digital certificate from a US-based South Korean security company.
According to Kaspersky, the APT compromised multiple servers and uploaded several malicious scripts in the process. The group used the malicious scripts to control the trojans installed on downstream victims.
“North Korea once again figures prominently in an attack, although it doesn’t appear to be the government this time, at least not directly,” said Saryu Nayyar, CEO at Gurucul.
“Government-sponsored attacks continue to be a major issue for other governments and enterprises. Both types of organizations need to be cognizant of the potential for high-powered attacks and respond appropriately. Early detection and remediation continue to be the best approach to dealing with these types of attacks.”
Kaspersky did not gain visibility into how the threat actor compromised the asset monitoring firm. The cybersecurity company, however, believes the attack was part of Lazarus’ expanding supply chain attacks.
“We did not have visibility into how Lazarus compromised the South Korean security software company nor the asset monitoring technology provider in Latvia,” said Ariel Jungheit, senior security researcher, Global Research and Analysis Team at Kaspersky. “We take our findings at face value as an indicator of Lazarus’ interest in developing supply chain capabilities.”
Lazarus expanding into the defense industry
Similarly, Lazarus is interested in the defense industry, leveraging the MATA framework that works across the Windows, Linux, and macOS operating systems. The campaign deployed trojanized apps frequently used on the targeted operating systems.
Lazarus has traditionally exploited the MATA framework to spread malware and steal customer information for criminal financial gains. The researchers noted that this was the first time the group has exploited the framework for cyber espionage.
Additionally, Security researchers have also detected the North Korean hacking group building supply chain attack capabilities with a new variant of the DeathNote cluster, consisting of modified versions of BLINDINGCAN.
“These recent developments highlight two things: Lazarus remains interested in the defense industry and is also looking to expand its capabilities with supply chain attacks,” Jungheit said. Jungheit noted that successfully executed supply chain attacks could have devastating effects like the SolarWinds incident.
Kaspersky also observed other threat actors executing supply chain attacks similar to Lazarus in Asia. A Chinese APT HoneyMyte compromised a fingerprint reader software to install a PlugX trojan on a South Asian government agency’s distribution server in a hacking campaign dubbed “SmudgeX.”
“The Lazarus Group continues to demonstrate its ability to adapt and to continue to be a serious threat in the world of cybercrime,” said Erich Kron, security awareness advocate at KnowBe4. “These supply chain attacks take advantage of the trust we have in vendors, especially security vendors, and the tools that we install in our environments.
“These tools often have a high level of permissions, which makes the deployment of malicious payloads a trivial task. Unfortunately, the very tools that are compromised may even be the same tools tasked to stop or discover an intrusion.”