APT group Lazarus targets defence industry

Read time 3min 10sec

A previously unknown campaign from by Lazarus, a highly prolific advanced persistent threat (APT) group with strong links to North Korea, has been targeting the defence industry with a custom backdoor dubbed ThreatNeedle. The backdoor moves laterally through infected networks gathering sensitive information.

Lazarus is one of the most prolific threat actors today. It has been active since at least 2009 and linked to several large-scale cyber espionage campaigns, ransomware attacks, and even attacks against the crypto-currency market.

Over the past few years the group has been focusing primarily on financial entities, but from the beginning of last year, it appears to have added the defence industry to its targets.

A custom backdoor

Kaspersky researchers first became aware of this campaign when they were called in to assist with incident response, and they found that the organisation had fallen victim to a custom backdoor, or type of malicious code that enables attackers to gain complete remote control over the infected device.

The initial infection vector is spear phishing. Targets receive emails that contain either a malicious Word attachment or a link to one hosted on company servers. Many of the emails claim to have urgent updates related to the COVID-19 pandemic and appear to come from a respected medical centre.

Once the malicious document is opened, the malware is dropped and proceeds to the next stage of the deployment process. The ThreatNeedle malware used in this campaign belongs to a malware family known as Manuscrypt, which belongs to the Lazarus group and has previously been seen attacking crypto-currency businesses. 

Once installed, ThreatNeedle is able to obtain total control of the target’s device, which means it can do everything from manipulating files to executing received commands.

Gaining control of admin workstations

According to Kaspersky's researchers, one of the most interesting techniques used in this campaign is the ability to pilfer data from office IT networks, as well as a plant’s restricted network that contains mission-critical assets and computers with highly sensitive data and no Internet access.

We expect to see more of ThreatNeedle in the future, and we will be keeping an eye out.

Seongsu Park, senior security researcher, Kaspersky.

No information is supposed to be transferred between these two networks. However, administrators could connect to both networks to maintain these systems. Lazarus was able to obtain control of administrator workstations and then set up a malicious gateway to attack the restricted network and to steal and extract confidential data from there.

Seongsu Park, senior security researcher with the Global Research and Analysis Team (GReAT) at Kaspersky, says Lazaras was probably the most active threat actor last year, something that is unlikely to change anytime soon.

“As of January of this year, Google’s Threat Analysis Team reported that Lazarus had been seen using this same backdoor to target security researchers. We expect to see more of ThreatNeedle in the future, and we will be keeping an eye out.”

Overcoming network segmentation

Lazarus is not only highly prolific, it is highly sophisticated, adds Vyacheslav Kopeytsev, security expert with Kaspersky ICS CERT. Not only was the group able to overcome network segmentation, it conducted extensive research to create highly personalised and effective spear phishing emails and built custom tools to extract the stolen information to a remote server.

“With industries still dealing with remote work and, thus, still more vulnerable, it’s important organisations take extra security precautions to safeguard against these types of advanced attacks,” he ends.

See also