Thought leadership. threat analysis, news and alerts.
U.S. Justice Dept. Charges Alleged Member of Lazarus Group Over WannaCry Cyberattack
The U.S. Justice Department has formally charged a North Korean national, believed to be a member of the notorious hacking group known as “Lazarus” over WannaCry cyberattack and two other high-profile attacks, the Sony Pictures cyberattack and the cyberheist at the Bangladesh Bank.
The Justice Department filed a criminal complaintlast June 8, 2018 against North Korean national Park Jin Hyok for WannaCry, Sony and Bangladesh Bank cyberattacks. This criminal complaint though wasn’t made public when it was filed. It was only made public during the recent announcement by the Justice Department.
The WannaCry, Sony and Bangladesh Bank cyberattacks are among the notorious cyberattacks in recent years. On May 12, 2017, WannaCry cyberattack shook the online world after it locked down more than 300,000 computers in over 150 countries in less than 24 hours and demanded ransom payment from victims.
The Sony Pictures cyberattack in November 2014 stunned the company after thousands of its computers were rendered inoperable and unreleased movie scripts and other confidential information were made public.
The cyberheist at the Bangladesh Bank shook the financial sector in February 2016, after the fraudulent transfer of $81 million from the bank. To date, this $81-million fraudulent bank transfer is the largest successful cybertheft from a financial institution.
The criminal complaint, specifically filed by Federal Bureau of Investigation (FBI) Special Agent Nathan Shields, stated that there’s sufficient evidence that shows Park was a member of the conspiracies that resulted to the WannaCry, Sony, Bangladesh Bank successful intrusions as well as attempted intrusions, including the attempted intrusion at the U.S. defense contractor Lockheed Martin.
Shields said that Park, a computer programmer, used to work at a China-based company Chosun Expo. This company, Shields said, is a "North Korean government front company for a North Korean hacking organization”.
Cybersecurity organizations like Symantec, BAE Systems and Kaspersky Lab have called this North Korean hacking organization as “Lazarus”.
"While some of these computer intrusions or attempted intrusions occurred months or years apart, and affected a wide range of individuals and businesses, they share certain connections and signatures, showing that they were perpetrated by the same group of individuals (the subjects),” Shields said.
Shields said that there are numerous connections between Park, his true-name email and social media accounts, and the operational accounts used by the Lazarus group to conduct the successful intrusions and attempted intrusions.
According to Shields, the strongest link between the Lazarus group and the successful intrusions in WannaCry, Sony and Bangladesh Bank, and the attempted intrusion in Lockheed Martin is the FakeTLS table.
Shields said the FakeTLS table was found in WannaCry Version 0. It was also found in all three samples of Macktruck malware found at Sony attack, the Macktruck malware found in a spear-phishing document used in the attempted intrusion at Lockheed Martin, and the Nestegg malware found at Bangladesh Bank cyberheist.
TLS, short for Transport Layer Security, refers to a cryptographic protocol that’s used to increase the security of communications between computers. The “FakeTLS”, meanwhile, refers to a protocol that mimics authentic encrypted TLS traffic, but actually uses a different encryption method. By utilizing “fake” TLS, Shields said, attackers can carry on communications without tripping security alerts as many intrusion detection systems “ignore the traffic because they assume the contents cannot be decrypted and that the traffic is a common communication protocol”.
Shields added that the following technical similarities connect the malware used in WannaCry, Sony, Bangladesh Bank and Lockheed Martin:
Kaspersky Lab, for its part, said Lazarus is operating a malware factory that produces new samples via multiple independent conveyors. “The scale of the Lazarus operations is shocking,” Kaspersky Lab said.
Kaspersky Lab also agrees that Lazarus group was responsible for the WannaCry, Sony and Bangladesh Bank attacks.
According to Kaspersky Lab, from December 2015 to March 2017, its researchers collected malware samples relating to Lazarus group activity which appeared in financial institutions, casinos, software developers for investment companies and cryptocurrency businesses. Kaspersky Lab researchers found that although the Lazarus group was careful enough to wipe any traces of their illegal activities, one server that the group breached contained a serious mistake with an important evidence left behind.
The compromised server, Kaspersky Lab said, was used as a command and control center for a malware. While the group tested the compromised server using VPN/proxy servers to conceal their true IP address, the group committed one mistake as one connection came from a very rare IP address range in North Korea, Kaspersky Lab said.
Symantec, for its part, said there’s a strong link between Lazarus and WannaCry, Sony and Bangladesh Bank attacks.
According to Symantec, evidence gathered from an early version of WannaCry malware found three other malware: Trojan.Volgmer and two variants of Backdoor.Destover – software programs that were used as disk-wiping tools used in the Sony attack. Symantec added that WannaCry shares a code with Backdoor.Contopee – a malware used by the Lazarus group in intrusions at banks.
The attack methods of Lazarus group keep on evolving. One form of cyberdefense, therefore, isn’t enough to counter these attacks. Here are some of the attack methods used by the Lazarus group and corresponding preventive measures:
1. Exercise Caution in Clicking Links
One of the intrusion methods used by Lazarus is via spear-phishing email. According to the FBI, the group made an exact copy of a legitimate Facebook email but the hyperlinked text “Log In” that supposedly lead to the official Facebook page instead goes to a URL controlled by the group and directed victims to a malware.
2. Exercise Caution in Visiting Websites
One of the intrusion methods used by Lazarus, according to Kaspersky Lab, is by hacking government websites through known security vulnerabilities. When a target visits said compromised government website, the target’s computer then becomes infected.
3. Keep All Software Up-to-Date
The simple reason that the Lazarus group was successful in its WannaCry attack is that many have failed to update their Windows operating system. WannaCry Version 2, the one that hit worldwide on May 12, 2017, compromised Windows operating systems that fail to install Microsoft’s March 14, 2017 security update and older versions of Windows that were no longer supported, including Windows XP, Windows 8, and Windows Server 2003.
Steve E. Driz, I.S.P., ITCP