According to the conclusion of Russian experts from Group-IB, group Lazarus Pyongyang-backed hackers. They are suspected of hacking Sony in 2014 and trying to steal $1 billion from the national Bank of Bangladesh
The Russian company Group-IB, dealing with cybersecurity (which owns the largest in Eastern Europe the laboratory of computer forensics and the oldest in Russia by the investigations division; among the customers — Rosneft, Citibank, Sberbank, Microsoft, Gazprom, etc.), released a report which presented evidence that the famous hacker group Lazarus is the government of the DPRK. The report is published in the company blog.
Lazarus is known to primarily attack on the Central Bank of Bangladesh in February 2016. Then the attackers tried to withdraw $1 billion, but part of the operations were blocked and they managed to steal only $81 million in addition, the hackers of Lazarus was suspected in the organization of one of the largest corporate leaks from the companies that is a member of the Sony Corporation, in 2014. As a result of hacking on the Internet was not yet released movies, personal data collaborated with Hollywood celebrities, its employees. The FBI has formally accused North Korea of organizing the attack.
According to the version of Group-IB, in addition to the above attacks, Lazarus is responsible for the hacking of the networks of different countries, including pharmaceutical companies of Japan and China, universities in the USA, Canada, UK, India, Bulgaria, Poland, and Turkey.
As established at Group-IB, control attack Lazarus was conducted with two IP addresses belonging to the DPRK, and one of them belongs to North Korean Internet service provider. After checking the IP address in WhoIs service revealed that he allocated to the district Potonggang in Pyongyang, which houses the national Commission of the DPRK on defense (the highest military authority in the country), the report said. But the attack may be from any other building in the area, agreed the representative Group-IB. However, a company representative insisted that they were the first to find the real IP addresses of the attackers. And these addresses are in the same unit addresses that were specified in the investigation by South Korea’s National Police Agency in connection with the attack of North Korean hackers Dark Seoul Gang (another name for Lazarus) on South Korean TV stations and banks, the report says.
As established experts, to ensure his own anonymity, the hackers of Lazarus used the service SoftEther VPN supported Zukovskis University in Japan, and the addresses of nodes in the Internet, which were located in the United States, China, Taiwan, Russia, Canada, Italy and Kuwait.
According to RBC, co-founder and head of investigation Group-IB Dmitry Volkov, the main purpose of attacking cyber-espionage and the surveillance of interbank transactions. In the second place, you get, in some cases, the opportunity to carry out unauthorised payment (theft of money).
Feature Lazarus, according to co-founder of Group-IB, is that it is one of the first Pro-government hacking group that has attacked banks to violate their functionality. “In addition, they use a unique malware of interest to technical specialists,” — said Volkov.
The representative of the Embassy of North Korea in Moscow in response to questions from RBC about the relationship of Lazarus with the government in an official response sent three North Korean news media. In the news published the information about the involvement of hackers the DPRK called “dirty and naive intriganskaya sensation”, and put forward the theory that information is being circulated South Korean media, to “pour cold water on a trend of improving relations between North and South.”
Not the first
Study Group-IB describes not only the tools but also the logic followed by hackers Lazarus. “We have focused on research infrastructure, — says the wolves. — We found new evidence (not based on the comparison of malicious code) the involvement of North Korean hackers to the recent incidents in banks. Communication based on the similarity of the malicious code is not always reliable, but when you see that this malicious software was managed through a chain of anonymous nodes, the subject, which you suspected at the beginning, the community better understands the source of the threat, its goals and motivation.”
The assumption that for Lazarus are North Korean hackers was expressed by other companies involved in cybersecurity, including the Russian “Kaspersky Lab”. So, in April the company released a report that also proved this assumption.
According to the chief antivirus expert of the lab, Alexander Gostev, to determine who was behind the attacks in cyberspace, it is extremely difficult, and intentional use of groups of false labels designed to confuse researchers with a faithful trace, only complicates this task. “Various research activities of the group Lazarus has repeatedly pointed to North Korea, but the signs were mostly indirect, he says. For example, the attack on Sony Entertainment was carried out before the premiere of “the Interview”, a Comedy, in the ending where you kill the leader of the DPRK Kim Jong-UN. In the result the Prime Minister had to be postponed. Similarly, the attacks on South Korean sites — the assumption about the involvement of the “Northern neighbor” was based primarily on a possible motive.”
However, the company still managed to establish a connection with the Lazarus of the DPRK. Gostev said that the investigation of the incident in one of the banks in South-East Asia, there was one inquiry from a rare IP address in North Korea. “According to one version, this may indicate that the attacker has connected to the server with this address from North Korea. However, it is also impossible to exclude the possibility that the connection was “false flag”, that is, trying deliberately to confuse the experts and put them on the wrong track, or someone from the North Koreans accidentally visited the server address”, — he explained.
According to another popular version, Lazarus is hackers from Russia, Moldova and Kazakhstan. However, the report Group-IB attempted to refute it. According to the company, Lazarus only masquerades as a “Russian hackers”. In particular, in program code was detected symbols and the lines with Russian words written in Latin (they were used for the description of commands that can obtain a malicious program from the management server) — “poluchit”, “ssylka”, “pereslat”, etc. However, these verbs were used correctly to the native speaker, believe in Group-IB. For example, in the case of the command “poluchit” the meaning of the word contradicts the undertaken action instead, was supposed to be a send command (“send”).
According to Volkov, Lazarus used the image of Russian hackers due to the fact that the media actively construct a picture of Russian threats. “Presumably, they decided to disguise as Russian hackers because at that time, news about the attacks of Russian hackers were the most popular,” he said.
Lazarus and WannaCry
The specialists of “Kaspersky Lab” indicated that the virus WannaCry, which in mid-may, attacked 200 thousand users in 150 countries, also can stand the North Korean Lazarus. However, they noted that the similarity code may be another “false flag”. Some traces indicating the possible involvement of Lazarus to WannaCry and American Symantec. According to Volkov of Group-IB, there is little technical data to talk about responsible definitely. The Secretary of security Council Nikolay Patrushev said that Russia still has no evidence of involvement in the cyber attack a specific country and the investigation continues. May 29, experts of the American company Flashpoint, analyzing the text of a ransom note, came to the conclusion that the creators of the virus WannaCry could be Hong Kong, South China, Singapore or Taiwan.