Lazarus group behind North Korea’s cyber attack on SA

Read time 3min 00sec
North Korea successfully raked in $2 billion from several attacks it carried out to fund its weapons of mass destruction programmes, says the United Nations.
North Korea successfully raked in $2 billion from several attacks it carried out to fund its weapons of mass destruction programmes, says the United Nations.

Cyber security firm Kaspersky Lab has blamed the Lazarus group for SA’s recent cyber attack emanating from North Korea.

This as SA was listed as one of the 17 countries targeted by North Korean hackers to illegally raise money for its weapons of mass destruction programmes.

The United Nations (UN) has since opened an investigation into allegations against North Korea and its cyber attacks.

The investigation is looking to get to the root of the possibility that North Korea sponsored and orchestrated at least 35 cyber attacks, hitting about 17 countries.

Last week, several news outlets published excerpts from a UN report, which suggested North Korea successfully raked in $2 billion from several attacks it carried out.

On 6 March, the UN Security Council reported North Korean state-backed hackers successfully breached at least five crypto-currency exchanges in Asia between January 2017 and September 2018, causing $571 million in losses.

A number of countries and international bodies have imposed sanctions on North Korea. Currently, many sanctions are concerned with North Korea’s nuclear weapons programme and were imposed after its first nuclear test in 2006.

Reuters reports UN experts said North Korea “used cyber space to launch increasingly sophisticated attacks to steal funds from financial institutions and crypto-currency exchanges to generate income”.

They also used cyber space to launder the stolen money, the report said.

The lengthier version of the report reveals neighbouring South Korea was hardest-hit, the victim of 10 North Korean cyber attacks, followed by India with three attacks, and Bangladesh and Chile with two each.

The report says 13 countries suffered one attack – SA, Costa Rica, Gambia, Guatemala, Kuwait, Liberia, Malaysia, Malta, Nigeria, Poland, Slovenia, Tunisia and Vietnam.

AP says the report cites three main ways North Korean cyber hackers operate:

  • Attacks through the Society for Worldwide Interbank Financial Telecommunication, or SWIFT, the system used to transfer money between banks, “with bank employee computers and infrastructure accessed to send fraudulent messages and destroy evidence”.
  • Theft of crypto-currency “through attacks on both exchanges and users”.
  • “Mining of crypto-currency as a source of funds for a professional branch of the military.”

On the South African attack, Dr Amin Hasbini, head of the global research and analysis team for META at Kaspersky, comments: “The incident described refers to the activity of so-called Lazarus group, that has been a major threat actor in the APT [advanced persistent threat] arena for several years already, and Kaspersky experts are tracking it closely.”

The Lazarus group (also known as Guardians of Peace, Whois Team) is a cyber crime group made up of an unknown number of individuals. While not much is known about the group, researchers have attributed many cyber attacks to it over the last decade.

Hasbini notes that alongside goals like cyber espionage and cyber sabotage, the attacker has been targeting banks and other financial companies around the globe.

“Through their cyber criminal activities, the group has targeted a number of countries across Africa, among others in different territories.

“Till now, there is no data about money being stolen from a South African bank through these attacks, which could be an indicator that no money was stolen, or that if an attack did in fact result in any loss of funds, the details have not been disclosed.”

Login with