Security researchers have connected the North Korean state-sponsored Lazarus hacking gang to a recent cyber espionage effort targeting energy suppliers in the United States, Canada, and Japan by using Log4j bug.
The threat intelligence firm Cisco Talos reported on Thursday that it saw Lazarus between February and July of this year. Also known as APT38, targets unspecified energy companies in the United States, Canada, and Japan. In order to gain an initial foothold on a victim’s enterprise network, according to Cisco research, the attackers compromised internet-exposed VMware Horizon servers using a vulnerability in Log4j known as Log4Shell. They then used specialized malware known as “VSingle” and “YamaBot” to gain long-term persistent access. Japan’s CERT, or national cyber emergency response organization, reportedly linked YamaBot to the Lazarus APT.
In April of this year, Symantec made public the specifics of this spying operation. Symantec attributed the operation to “Stonefly,” a different North Korean hacking outfit with some similarities to Lazarus.
Cisco Talos previously noticed an undiscovered remote access trojan (RAT) called MagicRAT, credited to Lazarus Group. The hackers utilize it for reconnaissance and credential theft.
The Majors
According to Talos’s research, the major goal of these attacks is to establish long-term access to victim networks to execute espionage operations in support of North Korean government objectives. This is consistent with previous Lazarus breaches targeting energy and critical infrastructure businesses to create permanent access to steal proprietary intellectual property.
The Lazarus Group is a hacking organization with financial motivations and governmental support from North Korea. The hacking group previously made a high-profile Sony hack in 2016 and the WannaCry ransomware assault in 2017. Supporting North Korea’s governmental goals, including military research and development and circumventing international sanctions, is another motivation behind Lazarus.
However, the group recently shifted its focus to blockchain and cryptocurrency companies. It has been connected to the recent thefts of $625 million in cryptocurrency from the Ronin Network. Ronin Network is an Ethereum-based sidechain built for the well-known play-to-earn game Axie Infinity. A $100 million in bitcoin assets from Harmony’s Horizon Bridge.
For years, Pyongyang has utilized stolen cryptocurrencies and other data theft to finance its nuclear weapons programme.
The U.S. administration doubled its previous $10 million prize promised in July by offering it in exchange for information on members of state-sponsored North Korean threat groups like Lazarus. In April, the State Department disclosed.
