APT

Symantec blames North Korean Lazarus APT group for recent attacks on banks

Further investigation on the attacks against Polish banks allowed Symantec to determine that North Korean Lazarus APT group was behind recent attacks on banks.

According to malware researchers at Symantec, the North Korean APT group Lazarus was likely behind a recent string of cyber attacks against organizations in 31 countries. According to Symantec, the Lazarus APT was behind high-profile attacks on Bangladesh Bank, Sony and South Korea,

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

Experts at Symantec collected evidence demonstrating the Lazarus APT group was behind the campaign that leveraged on a “loader” software used to stage attacks by installing other malicious programs.

“We are reasonably certain” Lazarus behind the attacks, Symantec researcher Eric Chien said in an interview with the Reuters Agency.

Both US and South Korea governments are blaming Pyongyang for the attacks, but the North Korean government has denied allegations it was behind the hacks.

Symantec did not identify the organizations that were targeted in the last wave of attacks, it is not clear is Lazarus APT group has stolen money from the victims.

According to the experts from the security firm, there was a significant escalation of the Lazarus APT group, it used more sophisticated techniques targeting than in previous cyber attacks.

Experts at Symantec analyzed the hacking campaign launched last month by the Lazarus Group. The investigations started after Polish banks had been infected with a sophisticated strain of malware.

Polish banks confirmed their systems were infected with a malware after their staff visited the site of the Polish Financial Supervision Authority.

In order to avoid spreading the malware, the authorities took the decision to shut down the entire network at the Polish Financial Supervision Authority (KNF) “in order to secure evidence.”

Both security firms BAE Systems and Symantec started their investigation on the attacks. According to Symantec, the threat actor behind the attack is the same that targeted financial organizations in 31 countries since at least October 2016.

According to Symantec, the Polish website used to target the Polish banks delivered a strain of malware known to be part of the toolkit of the Lazarus Group.

The attackers exploited “watering holes” in order to infect the machines of a specific audience with previously unknown malware.

“Symantec has blocked attempts to infect customers in Poland, Mexico and Uruguay by the same exploit kit that infected the Polish banks. Since October, 14 attacks against computers in Mexico were blocked, 11 against computers in Uruguay, and two against computers in Poland.” reads the analysis published by Symantec.

At the time, Symantec said it had “weak evidence” to blame the Lazarus APT, but now the data gathered by the experts confirm the involvement of the group.

The malicious code was instructed to infect visitors whose IP address showed they were from 104 specific organizations in 31 countries.

The largest number of victims were in Poland, followed by the United States, and Mexico.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Lazarus APT, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

3 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

17 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

23 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.