Operation SyncHole: Lazarus APT Targets South Korean Supply Chains
TL;DR
- The North Korean Lazarus Group has targeted at least six South Korean firms in a sophisticated cyber espionage campaign known as Operation SyncHole.
- The campaign leveraged watering hole tactics and exploited software vulnerabilities, highlighting the urgent need for enhanced cybersecurity measures in targeted sectors.
Introduction
Kaspersky researchers have uncovered a sophisticated cyber espionage campaign, dubbed Operation SyncHole, orchestrated by the North Korea-linked Lazarus Group. This campaign, active since at least November 2024, has targeted at least six firms in South Korea across various sectors, including IT, finance, semiconductors, and telecom. The operation highlights the group’s evolving tactics and the critical need for robust cybersecurity measures.
Operation SyncHole: An Overview
Targeted Sectors and Tactics
The Lazarus Group employed watering hole tactics and exploited software vulnerabilities to infiltrate South Korean organizations. Watering hole attacks involve compromising legitimate websites frequently visited by the target group, ensuring that the malicious payloads are delivered to the intended victims.
Initial Discovery and Response
Kaspersky notified the Korea Internet & Security Agency (KrCERT/CC) after discovering that the threat actor exploited a one-day vulnerability in Innorix Agent for lateral movement within compromised networks. The initial infection was detected in November 2024, when a variant of the ThreatNeedle backdoor was found running in the memory of a legitimate SyncHost.exe process, created as a subprocess of Cross EX, a legitimate software developed in South Korea.
Malware and Tools Deployed
The attackers utilized a diverse array of hacking tools and malware, including:
- ThreatNeedle: A backdoor used for initial infection.
- Agamemnon downloader: Facilitated payload delivery.
- wAgent: Used for internal reconnaissance.
- SIGNBT: Employed for payload delivery with encrypted C2 communication.
- COPPERHEDGE: Utilized for further internal reconnaissance.
Exploitation of South Korean Software
The Lazarus Group exploited vulnerabilities in South Korean software, notably Innorix Agent and Cross EX, to infiltrate systems and spread malware. These programs, which run continuously in the background, are attractive targets due to their high system privileges. The National Cyber Security Center of South Korea issued advisories on these risks in 2023, highlighting the ongoing threat.
Phases of the Operation
Operation SyncHole consisted of two distinct phases:
- Initial Phase:
- Utilized ThreatNeedle and wAgent malware.
- Focused on initial infection and reconnaissance.
- Second Phase:
- Introduced SIGNBT and COPPERHEDGE.
- Shifted towards more aggressive and frequent attacks after the initial detection and response.
Evolution of Tactics
Following the early detection and response to the first attack, the Lazarus Group modified its tactics. Researchers observed three updated malware chains in subsequent attacks, indicating the group’s adaptability and determination to continue their operations despite increased scrutiny.
Modular and Stealthy Malware
The Lazarus Group’s shift towards modular, stealthy, and locally tailored malware is evident in their use of advanced encryption techniques and system persistence methods. For example, ThreatNeedle was split into Loader and Core components, employing ChaCha20 with Curve25519 encryption. wAgent utilized AES-128-CBC decryption and leveraged RSA via the GMP library.
Implications and Future Threats
The specialized attacks targeting supply chains in South Korea are expected to continue. Research has shown that many software development vendors in Korea have already been compromised, and the discovery of zero-day vulnerabilities is likely to persist. The Lazarus Group’s efforts to minimize detection by developing new malware or enhancing existing tools underscore the need for vigilant cybersecurity practices.
Follow me on Twitter: @securityaffairs Facebook: Facebook Mastodon: Mastodon
Additional Resources
For further insights, check: