The Lazarus hacker gang, backed by North Korea, has shifted its emphasis to new targets and has been detected by Kaspersky security experts improving its supply chain attack potentialities.
After breaching a Latvian IT provider in May, Lazarus employed a new form of the BLINDINGCAN backdoor to attack a South Korean research tank in June.
CISA and the FBI were the first to notice the backdoor employed in these attacks. It can evade detection by removing itself from compromised systems, spawn and kill processes, exfiltrate data, and interfere with file and folder timestamps.
As per Kaspersky’s Q3 2021 APT trends report, Lazarus also used the BLINDINGCAN backdoor to transmit the COPPERHEDGE remote access trojan (RAT).
In the past, Lazarus used the same RAT to attack bitcoin exchanges and other connected companies. This virus is notorious for assisting its operators with system reconnaissance, executing arbitrary instructions on compromised systems, and data exfiltration.
The Lazarus Gang (also known by the US Intelligence Community as HIDDEN COBRA) is a military hacking group supported by the Democratic People’s Republic of Korea operating since at least 2009.
They are mainly responsible for organizing the global WannaCry ransomware operation in 2017 and targeting high-profile businesses such as Sony Films in Operation Blockbuster and various banks worldwide.
In January, Google discovered Lazarus while conducting social engineering attacks on security researchers via elaborate false “security researcher” social media profiles, and again in March during a similar effort.
According to Ariel Jungheit, a senior security researcher at Kaspersky, these latest activities show two things: Lazarus remains interested in the military industry and is attempting to enhance its skills with supply chain attacks.
When carried out properly, supply chain attacks may have severe consequences, affecting far more than one firm. The same was witnessed with the SolarWinds hack last year.
In September 2019, the US Treasury sanctioned three DPRK-backed hacking groups (Lazarus, Bluenoroff, and Andariel).