North Korean Lazarus Hackers Leverage npm Packages for Widespread Cyber Attacks
Explore the recent cybersecurity breach where North Korean Lazarus hackers infected hundreds of systems via malicious npm packages.
TL;DR
- North Korean Lazarus hackers have infected hundreds of systems using malicious npm packages.
- Six malicious packages have been identified, highlighting the group’s evolving tactics.
- The attack underscores the ongoing threat posed by state-sponsored cyber espionage.
Main Content
Six malicious packages have been identified on npm (Node package manager) linked to the notorious North Korean hacking group Lazarus.
Understanding the Threat
The Lazarus Group, also known as Guardians of Peace or Whois Team, is a hacker group made up of an unknown number of individuals and is alleged to be run by the North Korean government.
Researchers have attributed many cyberattacks to them since 2010. Originally a criminal group, the group has now been designated as an advanced persistent threat due to the intended nature, threat, and wide array of methods used when conducting an operation.
The earliest known attack that the group is responsible for is known as “Operation Troy”, which took place from 2009 to 2012. This was a cyber-espionage campaign that utilized unsophisticated distributed denial-of-service attack (DDoS) techniques to target the South Korean government in Seoul.
They were also responsible for attacks in 2011 and 2013. Though uncertain, it is possible that they were also behind a 2007 attack targeting South Korea.
A notable attack that the group is known for is the 2014 attack on Sony Pictures. The Sony attack used more sophisticated techniques and highlighted how advanced the group has become over time.
The Lazarus Group were reported to have stolen US$12 million from the Banco del Austro in Ecuador and US$1 million from Vietnam’s Tien Phong Bank in 2015. They have also targeted banks in Poland and Mexico.
The 2016 bank heist included an attack on the Bangladesh Bank, successfully stealing US$81 million and was attributed to the group. In 2017, the Lazarus group was reported to have stolen US$60 million from the Far Eastern International Bank of Taiwan although the actual amount stolen was unclear, and most of the funds were recovered.
It is not clear who is really behind the group, but media reports have suggested the group has links to North Korea. Kaspersky Lab reported in 2017 that Lazarus tended to concentrate on spying and infiltration cyberattacks whereas a sub-group within their organisation, which Kaspersky called Bluenoroff, specialised in financial cyberattacks. Kaspersky found multiple attacks worldwide and a direct link (IP address) between Bluenoroff and North Korea. However, Kaspersky also acknowledged that the repetition of the code could be a “false flag” meant to mislead investigators and pin the attack on North Korea, given that the worldwide WannaCry worm cyber attack copied techniques from the NSA as well. This ransomware leverages an NSA exploit known as EternalBlue that a hacker group known as Shadow Brokers made public in April 2017.
Symantec reported in 2017 that it was “highly likely” that Lazarus was behind the WannaCry attack.
Lazarus Group’s Growing Sophistication
The Lazarus Group’s tactics have evolved significantly over the years, from basic DDoS attacks to sophisticated malware deployments. Their ability to adapt and innovate makes them a formidable threat in the cybersecurity landscape.
Conclusion
The recent incident involving malicious npm packages highlights the ongoing threat posed by the Lazarus Group. As cybersecurity measures evolve, so do the tactics of hacker groups, necessitating constant vigilance and adaptation from security professionals.