The following content is translated from the Wikipedia article "Lazarus Group":
The Lazarus Group (also known as "Guardians" or "Peace or Whois Team") is a hacker group of unknown size, allegedly controlled by the North Korean government. While little is known about the group, researchers have attributed multiple cyber attacks to them since 2010.
The group started as a criminal enterprise, but is now considered an advanced persistent threat (APT) group due to its malicious intent, the threats it poses, and the various tactics it employs. Cybersecurity firms have given them several nicknames, such as "Hidden Cobra" (used by the U.S. Department of Homeland Security to refer to malicious cyber activity by the North Korean government), and "ZINC" or "Diamond Sleet" (used by Microsoft). According to a North Korean defector, Kim Kuk-song, the group is known as the "414 Liaison Office" within North Korea.
The Lazarus Group is closely linked to North Korea. The U.S. Department of Justice has stated that the group is part of North Korea's strategic objectives, aiming to "disrupt global cybersecurity" and "generate illicit revenue in violation of sanctions." North Korea benefits greatly from its cyber operations, maintaining a small but highly capable team that poses a "global-scale" asymmetric threat, especially against South Korea.
History
The group's earliest known attacks were the "Trojan Horse" operations from 2009 to 2012, a cyber espionage campaign targeting the South Korean government in Seoul using relatively simple distributed denial-of-service (DDoS) techniques. They also carried out attacks in 2011 and 2013, and a 2007 attack on South Korea may also have been their work, though this is unconfirmed. A notable attack by the group occurred in 2014, targeting Sony Pictures.
In 2015, the Lazarus Group reportedly stole $12 million from Banco del Austro in Ecuador and $1 million from Tien Phong Bank in Vietnam. They also targeted banks in Poland and Mexico. In 2016, they were behind an attack on a bank that resulted in the theft of $81 million. In 2017, there were reports that the Lazarus Group stole $60 million from the Far Eastern International Bank in Taiwan, though the exact amount stolen is unclear, and most of the funds were recovered.
The true masterminds behind the group remain unclear, but media reports indicate close ties to North Korea. A 2017 Kaspersky report suggested that the Lazarus Group tends to focus on espionage and infiltration attacks, while a sub-group called "Bluenoroff" specializes in financial cyber attacks. Kaspersky found multiple attack incidents globally and discovered direct IP address associations between Bluenoroff and North Korea.
However, Kaspersky also acknowledged that code reuse could be a "false flag" operation to mislead investigators and frame North Korea, as the global "WannaCry" ransomware attack also borrowed from the U.S. National Security Agency's techniques. In 2017, Symantec reported that the "WannaCry" attack was most likely the work of the Lazarus Group.
The "Trojan Horse" Operations in 2009
The Lazarus Group's first major hacking incident occurred on July 4, 2009, marking the start of the "Trojan Horse" operations. This attack used the "My Apocalypse" and "Bulldozer" malware to launch large-scale but relatively unsophisticated DDoS attacks on websites in the U.S. and South Korea. The attack targeted around 36 websites and planted the text "Independence Day" in the master boot record (MBR).
The 2013 South Korean Cyber Attacks ("Operation 1" / "Dark Seoul" Operations)
Over time, the group's attack methods became more complex, with more mature and effective techniques and tools. The "Ten Days of Rain" attack in March 2011, targeting South Korean media, finance, and critical infrastructure, used more sophisticated DDoS attacks originating from compromised computers within South Korea. On March 20, 2013, the "Dark Seoul" operation was launched, a data-wiping attack targeting three South Korean broadcasters, financial institutions, and an internet service provider. At the time, two other groups, the "New Romanic Cyber Army Team" and the "WhoIs Team," claimed responsibility for this attack, but researchers later determined that the Lazarus Group was the mastermind behind these destructive attacks.
Late 2014: Invasion of Sony Pictures
On November 24, 2014, the Lazarus Group's attacks reached a peak. A post appeared on Reddit claiming that Sony Pictures had been infiltrated by unknown means, with the attackers identifying themselves as the "Guardians of Peace." A large amount of data was stolen and gradually leaked over the following days. A person claiming to be a member of the group stated that they had been accessing Sony's data for over a year.
The hackers gained access to unreleased films, partial film scripts, future film plans, executive salary information, emails, and personal information of about 4,000 employees.
Early 2016 Investigation: "Operation Blockbuster"
Codenamed "Operation Blockbuster," a coalition of security companies led by Novetta analyzed malware samples found in various cyber security incidents. Using code reuse patterns, the team was able to link the Lazarus Group to multiple attacks, such as the use of the obscure "Cantopee" encryption algorithm.
The 2016 Bank Heist
In February 2016, a bank heist occurred. Hackers used the SWIFT network to issue 35 fraudulent transfer instructions, attempting to illegally move nearly $1 billion from the central bank's account at the Federal Reserve Bank of New York. Five of the 35 instructions succeeded, transferring $101 million, with $20 million going to Sri Lanka and $81 million to the Philippines. The Federal Reserve Bank of New York became suspicious due to a misspelling in one instruction and blocked the remaining 30 transactions worth $850 million. Cybersecurity experts attributed this attack to the Lazarus Group from North Korea.
The "WannaCry" Ransomware Attack in May 2017
"WannaCry" was a large-scale ransomware cyber attack that affected numerous organizations globally, from the UK's National Health Service (NHS) to Boeing and even some universities in China, on May 12, 2017. The attack lasted for 7 hours and 19 minutes. Europol estimated that the attack affected around 200,000 computers in 150 countries, with the most affected regions being Russia, India, Ukraine, and Taiwan. This was one of the earliest known crypto-worm attacks. Crypto-worms are a type of malware that can spread between computers over a network without direct user interaction - in this case, it exploited the TCP port 445. Computers could be infected without clicking on a malicious link, as the malware could self-propagate from one infected computer to connected printers and then to other nearby computers on the wireless network. The vulnerability in port 445 allowed the malware to freely spread within internal networks, rapidly infecting thousands of computers.
Attack Method: The virus exploited a vulnerability in the Windows operating system, then encrypted computer data and demanded payment of around $300 worth of Bitcoin to obtain the decryption key. To incentivize victims to pay, the ransom doubled after three days, and the encrypted data would be deleted if not paid within a week. The malware used legitimate Microsoft-developed software called "Windows Crypto" to encrypt files. After encryption, the files were renamed with the "Wincry" extension, hence the name "WannaCry". "Wincry" was the basis for the encryption, but the malware also leveraged two other vulnerabilities, "EternalBlue" and "DoublePulsar", to become a crypto-worm. "EternalBlue" allowed the virus to spread automatically over the network, and "DoublePulsar" triggered the virus to activate on the victim's computer.
Security researcher Marcus Hutchins, who received a sample of the virus from a friend at a security research company, discovered a "kill switch" hardcoded into the malware, which halted the attack. The malware would periodically check if a specific domain had been registered, and only continue the encryption process if the domain did not exist. Hutchins found this check mechanism and registered the relevant domain on the afternoon of May 12th UTC, causing the malware to immediately stop spreading and infecting new devices. This was an unexpected victory, and provided clues for tracking down the virus' creators. Typically, stopping malware requires months of back-and-forth between hackers and security experts, so this easy win was surprising. Another unusual aspect was that even after paying the ransom, files could not be recovered: the hackers only received $130,000 in ransom, suggesting their goal was not financial gain but rather to cause disruption.
The ease with which the "kill switch" was discovered, as well as the relatively small ransom collected, led many to believe the attack was state-sponsored, with the motive being to sow chaos rather than for financial compensation. After the attack, security experts traced the "DoublePulsar" vulnerability back to the U.S. National Security Agency, where it had been developed as a cyber weapon. The "Shadow Brokers" hacker group had later stolen this vulnerability and unsuccessfully tried to auction it off, before eventually releasing it for free. Microsoft had patched the vulnerability in a March 2017 update, less than a month before the attack, but due to the update not being mandatory, many vulnerable computers had still not been fixed by May 12th, allowing the attack to cause significant damage.
Aftermath: The U.S. Department of Justice and UK authorities later attributed the "WannaCry" attack to the North Korean hacker group Lazarus.
Cryptocurrency Attacks in 2017
In 2018, Recorded Future reported that the Lazarus Group was behind attacks targeting users of the cryptocurrencies Bitcoin and Monero, primarily in South Korea. These attacks were said to be technically similar to the previous "WannaCry" ransomware attack and the attack on Sony Pictures. One Lazarus Group tactic was exploiting vulnerabilities in the South Korean word processing software Hangul (developed by Hancom). Another was sending phishing emails with malware to South Korean students and users of cryptocurrency exchanges like Coinlink.
If users opened the malware, their email addresses and passwords would be stolen. Coinlink denied that its website or user email addresses and passwords had been hacked. The report concluded that "the series of attacks at the end of 2017 indicates that a nation-state's interest in cryptocurrency has only grown, and we now know this interest spans a wide range of activities including mining, ransomware attacks, and direct theft." The report also suggested the nation-state was using these cryptocurrency attacks to evade international financial sanctions.
In February 2017, hackers from the nation-state stole $7 million from the South Korean cryptocurrency exchange Bithumb. Another South Korean Bitcoin trading company, Youbit, was attacked in April 2017 and then again in December 2017, losing 17% of its assets and ultimately filing for bankruptcy. The Lazarus Group and hackers from the nation-state were implicated in these attacks. In December 2017, the cryptocurrency cloud mining marketplace NiceHash lost over 4,700 Bitcoins, with an investigation linking this attack to the Lazarus Group.
The September 2019 Attack
In mid-September 2019, the U.S. issued a public alert about a new malware strain called "ElectricFish". Since early 2019, agents from the nation-state had carried out five major cyber heists globally, including successfully stealing $49 million from an institution in Kuwait.
The Late 2020 Attack on Pharmaceutical Companies
As the COVID-19 pandemic continued, pharmaceutical companies became a primary target for the Lazarus Group. Lazarus Group members used phishing techniques, posing as health officials, to send malicious links to pharmaceutical company employees. Multiple large pharmaceutical firms are believed to have been targeted, with the only confirmed victim being the AstraZeneca joint venture. Many employees, including some involved in COVID-19 vaccine development, were targeted. The purpose of these attacks is unclear, but may include stealing sensitive information for profit, implementing extortion schemes, or enabling the nation-state to acquire proprietary COVID-19 research results. AstraZeneca has not commented on the incident, and experts believe no sensitive data has been leaked so far.
The January 2021 Attack on Cybersecurity Researchers
In January 2021, Google and Microsoft both publicly reported that a group of hackers from the nation-state had launched attacks against cybersecurity researchers, with Microsoft explicitly attributing the attacks to the Lazarus Group.
The hackers created multiple user profiles on platforms like Twitter, GitHub, and LinkedIn, posing as legitimate software vulnerability researchers, and interacting with content posted by others in the security research community. They would then directly contact specific security researchers, claiming to want to collaborate on research, and lure victims into downloading malware-infected files or visiting blogs controlled by the hackers.
Some victims who accessed the blog posts reported that their computers were compromised, even though they were using fully patched Google Chrome browsers, suggesting the hackers may have exploited a previously unknown Chrome zero-day vulnerability. However, Google stated in its report that the exact method of intrusion could not be determined.
Axie Infinity Hacking Incident in March 2022
In March 2022, the Lazarus Group was accused of stealing $620 million worth of cryptocurrency from the Ronin network used by the Axie Infinity game. The FBI stated: "Through the investigation, we have confirmed that the Lazarus Group and APT38 (a North Korea-associated cyber actor) were behind the theft."
Horizon Bridge Attack Incident in June 2022
The FBI confirmed that the North Korean malicious cyber actor group Lazarus Group (also known as APT38) was behind the theft of $100 million in virtual currency from the Harmony's Horizon bridge reported on June 24, 2022.
Other Cryptocurrency Attack Incidents in 2023
A report by the blockchain security platform Immunefi stated that the Lazarus Group was responsible for over $300 million in cryptocurrency hacking incidents in 2023, accounting for 17.6% of the total losses that year.
Atomic Wallet Attack Incident in June 2023: In June 2023, the FBI confirmed that over $100 million in cryptocurrency was stolen from Atomic Wallet users.
Stake.com Hacking Incident in September 2023: In September 2023, the FBI confirmed that $41 million in cryptocurrency was stolen from the online casino and gambling platform Stake.com, with the Lazarus Group as the perpetrator.
U.S. Sanctions
On April 14, 2022, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) listed the Lazarus Group on the Specially Designated Nationals (SDN) List under a certain country's sanctions regulations.
Cryptocurrency Attack Incident in 2024
According to Indian media reports, a local cryptocurrency exchange called WazirX was attacked by the group, with $234.9 million worth of cryptocurrency assets stolen.
Personnel Training
It is rumored that some North Korean hackers are sent to Shenyang, China for professional training, learning how to implant various malware into computers, computer networks, and servers. Within North Korea, Kim Chaek University of Technology, Kim Il Sung University, and Mangyongdae University are responsible for related education, selecting the best students nationwide for six years of special education. In addition to university education, "some of the best programmers... are sent to Mangyongdae University or Mirim College for further study."
Organizational Branches
The Lazarus Group is believed to have two branches.
BlueNorOff
BlueNorOff (also known as APT38, "Bluenoroff", "BeagleBoyz", "NICKEL GLADSTONE") is a profit-driven organization that conducts illegal fund transfers by forging SWIFT instructions. Mandiant refers to it as APT38, while Crowdstrike calls it "Bluenoroff".
According to a 2020 U.S. Army report, BlueNorOff has around 1,700 members who focus on long-term assessment and exploitation of enemy network vulnerabilities and systems for financial cybercrime activities to generate economic benefits or control relevant systems for the regime. Between 2014 and 2021, they targeted at least 16 institutions in 13 countries, including Bangladesh, Chile, India, Mexico, Pakistan, the Philippines, South Korea, Taiwan, Turkey, and Vietnam. It is believed that the illicit proceeds were used for the development of the country's missile and nuclear technology.
BlueNorOff's most notorious attack was a 2016 bank heist, where they attempted to illegally transfer nearly $1 billion from the central bank's account at the Federal Reserve Bank of New York through the SWIFT network. Some transactions were successful ($20 million went to Sri Lanka, $81 million went to the Philippines), but the Federal Reserve Bank of New York became suspicious due to a misspelled instruction and prevented the remaining transactions.
Malware associated with BlueNorOff includes: "DarkComet", "Mimikatz", "Nestegg", "Macktruck", "Wanna Cry", "Whiteout", "Quickcafe", "Rawhide", "Smoothride", "TightVNC", "Sorrybrute", "Keylime", "Snapshot", "Mapmaker", "net.exe", "sysmon", "Bootwreck", "Cleantoad", "Closeshave", "Dyepack", "Hermes", "Twopence", "Electricfish", "Powerratankba", and "Powerspritz".
BlueNorOff's common tactics include: phishing, backdoor setup, vulnerability exploitation, watering hole attacks, executing code on systems by exploiting outdated and insecure Apache Struts 2 versions, strategically compromising websites, and accessing Linux servers. There are reports that they sometimes collaborate with criminal hackers.
AndAriel
AndAriel, also spelled Andarial, has other aliases: "Silent Chollima", "Dark Seoul", "Rifle", and "Wassonite". Logically, its distinctive feature is targeting South Korea. The alias "Silent Chollima" for AndAriel comes from the organization's secretive nature.
According to a 2020 U.S. Army report, the AndAriel group has around 1,600 members whose mission is to conduct reconnaissance, assess network vulnerabilities, and map enemy networks for potential attacks. In addition to South Korea, they have targeted the governments, infrastructure, and enterprises of other countries. Their attack methods include: exploiting ActiveX controls, South Korean software vulnerabilities, watering hole attacks, spear-phishing (via macro viruses), attacking IT management products (such as antivirus software and project management software), and supply chain attacks (through installers and updates). The malware they use includes: Aryan, Gh0st RAT, Rifdoor, Phandoor, and Andarat.
Prosecution of Related Individuals
In February 2021, the U.S. Department of Justice indicted three members of the North Korean military intelligence agency's Reconnaissance General Bureau - Park Jin Hyok, Jon Chang Hyok, and Kim Il Park - for their involvement in Lazarus Group (Lazarus) hacking activities. Park Jin Hyok was already indicted in September 2018. These suspects are currently not in U.S. custody. Additionally, a Canadian and two Chinese individuals were also charged as money transmitters and money launderers for the Lazarus Group.
