Cybersecurity , Data Breach

Kaspersky Links North Korean IP Address to Lazarus

Opsec Failure Gives Strong Indication of North Korean Attacks Against Banks
Kaspersky Links North Korean IP Address to Lazarus

On Jan. 18, someone began infiltrating a server in Europe from afar. The person began testing the server as a possible stage for launching hacking attacks.

See Also: How to Scale Your Vendor Risk Management Program

As is customary, the person initially used VPNs to connect to the server. One VPN connection came from France, another from South Korea. But then something strange happened: a North Korean IP address connected.

North Korea has long been suspected as being behind the Lazarus group, the nickname given attackers that stole $81 million from the U.S. Federal Reserve account of Bangladesh's Central Bank. The Wall Street Journal reports that the U.S. is reportedly building a case that pins the theft on North Korea (see Report: DOJ Sees Bangladesh Heist Tie to North Korea).

Lazarus conducted devastating cyberattacks against South Korea in 2013, disrupting its banking system, as well as breaching and then destroying the networks of Sony Pictures Entertainment in late 2014 (see ISMG's Guide to the Sony Breach).

Linking Lazarus to North Korea has proved elusive, and evidence has been mostly circumstantial. But in its latest research, Kaspersky Lab has turned up the strongest link yet to the isolated nation. The research was unveiled on April 4 at its annual security summit, which is being held this year in St. Maarten.

Kaspersky says it gained insight into Lazarus by working with banks in two countries that were attacked earlier this year. The investigation revealed a major operational security failure and deep insight into how Lazarus exploits victims.

Subverting SWIFT

A subgroup within Lazarus, which Kaspersky calls Bluenoroff, runs meticulous hacking operations against banks, as well as less conventional targets, such as traders and casinos, the research firm claims.

Those attacks are often aimed at SWIFT, the messaging system that is used by financial institutions for international wire transfers. The attacks haven't been enabled by software vulnerabilities in the SWIFT software, but rather a combination of deep penetration into banks' networks and account compromises, Kaspersky says.

Bluenoroff is a patient stalker: In one attack against an institution in southeast Asia, it was inside the organization for seven months, Kaspersky says. That institution happened to be breached at the same time as the Bangladesh heist.

The malware used in that incident was compiled and deployed shortly before an attack. The hackers operated only when no one was working at the institution or on weekends. Malware installers were password-protected. That's not a new technique, but one that's in the realm of more advanced attackers, Kaspersky says.

"Lazarus knows the value of quality code, which is why we normally see rudimentary backdoors being pushed during the first stage of infection," Kaspersky says. "Burning those doesn't impact the group too much. However, if the first stage backdoor reports an interesting infection, they start deploying more advanced code, carefully protecting it from accidental detection on disk."

Opsec Mistake

Even with Bluenoroff's careful methods of operation, however, Kaspersky says it made a mistake.

Hackers usually use other networks of compromised computers to launch attacks, fudging their real IP addresses. It's also what in part makes attribution inconclusive.

That's why the discovery of a North Korean IP address in a log of a command-and-control server used by Lazarus is so interesting. North Korea has a very small IP address space that is actively used: just 1,024 IP addresses, run by a single provider, Star Joint Venture. Internet access is strictly controlled in the country.

If the hacker realized a real IP address had been revealed, the information surely would have been immediately scrubbed from server logs. But why it remained may be the result of another problem. Kaspersky says the server had cryptocurrency software installed that mines a virtual currency called Monero.

"The software so intensely consumed system resources that the system became unresponsive and froze," Kaspersky says. "This could be the reason why it was not properly cleaned, and the server logs were preserved."

Same Mistake, Different Target

After Sony Pictures was attacked, within a month the U.S. blamed North Korea. The conclusion was met with much skepticism because the agency did not release technical evidence.

But in January 2015, FBI Director James Comey revealed more at a cybersecurity conference at Fordham Law School. He said the North Koreans usually used proxy servers for their attacks. But in some instances, they were "sloppy," he noted (see FBI Attributes Sony Hack to North Korea).

"Several times, either because they forgot or because of a technical problem, they connected directly and we could see that the IPs they were using ... were exclusively used by the North Koreans," Comey said, according to Wired magazine. "They shut it off very quickly once they saw the mistake. But not before we saw where it was coming from."

Of course, it doesn't discount the possibility of a so-called "false flag" attack, where technical indicators are faked to point suspicion in another direction. But Kaspersky's find is nonetheless significant, even if only deepens the mystery behind the SWIFT attacks.


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Jeremy Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network