Lazarus Group develops supply chain attack capabilities
Lazarus, a highly prolific North Korean state-sponsored advanced threat group, has been developing supply chain attack capabilities to commit cyber-espionage, and target the defence industry.
This was revealed in Kaspersky’s latest quarterly threat intelligence report, which summarises the findings of the security company's subscriber-only threat intelligence reports. This includes indicators of compromise, data and rules to assist in forensics and malware hunting.
Lazarus is one of the world’s most active and notorious threat actors, which has been active since at least 2009. It has been behind some of the largest cyber espionage and ransomware campaigns to date.
Having a variety of advanced tools at its disposal, the group appears to have chosen to apply them to new goals, Kaspersky says.
In June this year, the security giant observed the Lazarus group attacking the defence industry using the multi-platform malware framework (MATA), which has the ability to target three operating systems – Windows, Linux and macOS.
Historically, Lazarus has used this framework to attack various industries to steal customer databases and spread ransomware. However, this time Kaspersky researchers tracked Lazarus using MATA for the purpose of cyber espionage.
Supply chain attack
Lazarus was also seen building supply chain attack capabilities with an updated DeathNote cluster, which consists of a slightly updated variant of BLINDINGCAN, malware previously reported by the US Cybersecurity and Infrastructure Security Agency (CISA).
Kaspersky researchers discovered campaigns targeting a South Korean think-tank and an IT asset monitoring solution vendor.
In the first case, Lazarus developed an infection chain that stemmed from legitimate South Korean security software deploying a malicious payload.
When carried out successfully, supply chain attacks can cause devastating results, affecting much more than one organisation – something we saw clearly with the SolarWinds attack last year.Ariel Jungheit, Kaspersky.
In the second case, the target was a company developing asset monitoring solutions in Latvia, an atypical victim for Lazarus. As part of the infection chain, Lazarus used a downloader named “Racket” which they signed using a stolen certificate. The actor compromised vulnerable Web servers and uploaded several scripts to filter and control the malicious implants on successfully breached machines.
Ariel Jungheit, senior security researcher, at Kaspersky’s Global Research and Analysis Team, says these recent developments shine the spotlight on two things. Firstly, Lazarus remains interested in the defence industry, and secondly, it is also looking to expand its capabilities with supply chain attacks.
“This APT [advanced persistent threat] group is not the only one seen using supply chain attacks. In the past quarter we have also tracked attacks carried out by SmudgeX and BountyGlad. When carried out successfully, supply chain attacks can cause devastating results, affecting much more than one organisation – something we saw clearly with the SolarWinds attack last year. With threat actors investing in these capabilities, we need to stay vigilant and focus defence efforts on that front,” he adds.
In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky recommends providing the SOC team with access to the latest threat intelligence, and upskilling cyber security teams to tackle targeted threats.
For endpoint level detection, investigation, and timely remediation of incidents, the company recommends implementing EDR solutions as well as a corporate-grade security solution that detects advanced threats on the network level at an early stage.
Finally, as many targeted attacks start with phishing or other social engineering techniques, Kaspersky says businesses should introduce security awareness training and teach practical skills to their teams.