The Lazarus threat actor group has developed the ability to attack supply chains, signaling the notorious crew has expanded its roster of potential targets, according to a new Kaspersky report.
Such is the threat of supply chain attacks--as emboldened by the successful SolarWinds assault--that the Cybersecurity and Infrastructure Agency (CISA) last month released a new framework for government and private sector organizations on how to engage with managed security service providers (MSSPs) and managed service providers (MSPs) to minimize supply risk and improve overall security.
The North-Korea tied Lazarus is also using its multi-platform (Windows, Linux and MacOS) MATA platform to conduct cyber espionage in the defense industry, one of its favored targets, Kaspersky said.
How Lazarus Hacker Group Allegedly Operates
Here’s what Kaspersky has allegedly turned up on Lazarus:
- Supply chain attack capabilities. Lazarus has also been spotted building supply chain attack capabilities with an updated DeathNote cluster, consisting of a slightly updated variant of the BLINDINGCAN malware previously reported by CISA.
- Cyber espionage using MATA. Lazarus delivered a Trojanized version of an application known to be used by their victim. Last year, Lazarus attacked the defense industry in the ThreatNeedle campaign that was similarly orchestrated.
- Campaigns targeting South Korea. Kaspersky researchers discovered campaigns targeting a South Korean think tank and an IT asset monitoring solution vendor. In the think tank incident, Lazarus developed an infection chain that stemmed from legitimate South Korean security software deploying a malicious payload. In the second case, the target was a company developing asset monitoring solutions in Latvia, an atypical victim for Lazarus.
“These recent developments highlight two things: Lazarus remains interested in the defense industry and is also looking to expand its capabilities with supply chain attacks,” said Ariel Jungheit, a senior security researcher on Kaspersky’s Global Research and Analysis Team. “This APT group is not the only one seen using supply chain attacks. In the past quarter we have also tracked such attacks carried out by SmudgeX and BountyGlad,” Jungheit said.
How MSSPs Can Mitigate Lazarus Group Cyberattack Threats
Kaspersky recommends that organizations take these five measures to avoid being victimized by a targeted attack:
- Provide your SOC team with access to the latest threat intelligence.
- Upskill your cybersecurity team to tackle the latest targeted threats.
- Implement EDR solutions for endpoint level detection, investigation, and timely remediation of incidents.
- Implement a corporate-grade security solution that detects advanced threats on the network level at an early stage.
- Introduce security awareness training and teach practical skills to your team. Many targeted attacks start with phishing or other social engineering techniques that can take advantage of untrained employees.
Lazarus has been among the world’s most active cyber attackers for more than a decade. Not only has it conducted large scale cyber espionage and ransomware campaigns, it has also attacked the defense industry and cryptocurrency markets. The group has been tied to a number of high profile offensives, including:
- The $81 million heist from the Bangladesh Central Bank in 2016.
- The infamous attack on Sony Pictures in 2014 that cost the studio millions.
- The destructive WannaCry ransomware assault in 2017.
- Dozens of large cyber robberies on automated teller machines in 2018 from which it lifted millions of dollars in a two-year wave of cyber burglaries.
