Lazarus
-
First known sample
2009 -
Discovery
2016 -
Number of targets
100-1000 -
Current status
Active -
Type
Cyberespionage toolkit -
Targeted platforms
Windows -
TOP targeted countries
Brazil , China , India , Indonesia , Iran , Iraq , Malaysia , Mexico , Poland , Russia , Saudi Arabia , South Korea , Taiwan , Thailand , Turkey , USA , Vietnam
-
The way of propagation
Watering hole attacks -
Purpose/Functions
Cyberespionage , Cybersabotage -
Special features
Anti-forensics, HDD wiper, SWIFT Alliance software tampering, multi-stage loaders, false flag operations.
-
Targets
Financial institutions , Government entities , Military -
Artefacts/Attribution
Out of the Lazarus group reference sample set compiled by our partner Novetta, just over 60% (61.9%) of them have at least one PE resource with Korean locale or language. A North Korean IP was involved in at least two operations against banks in Europe in 2017.
-
Description
An APT actor that’s been active since at least 2009. This group is believed to be responsible for numerous multifaceted campaigns that include cyberespionage, cyber sabotage, ransomware, and attacks against financial institutions. Originally, the group was focused on carrying out what seemed to be a geopolitical agenda mainly focused on South Korea. However, it has since moved on to global targets and has begun launching attacks for financial gain.