North Korean State Hackers Start Targeting the IT Supply Chain

North Korean-sponsored Lazarus hacking group has switched focus on new targets and was observed by Kaspersky security researchers expanding its supply chain attack capabilities.

Lazarus used a new variant of the BLINDINGCAN backdoor to target a South Korean think tank in June after deploying it to breach a Latvian IT vendor in May.

“In the first case discovered by Kaspersky researchers, Lazarus developed an infection chain that stemmed from legitimate South Korean security software deploying a malicious payload,” the researchers said.

Also Read: 9 Policies For Security Procedures Examples

“In the second case, the target was a company developing asset monitoring solutions in Latvia, an atypical victim for Lazarus.”

The backdoor used in these attacks was first identified by CISA and the FBI. They found that it can remove itself from compromised systems to evade detection, exfiltrate data, spawn and kill processes, and tamper with file and folder timestamps.

Lazarus also delivered the COPPERHEDGE remote access trojan (RAT) using the BLINDINGCAN backdoor, according to Kaspersky’s Q3 2021 APT trends report.

The same RAT was also deployed by Lazarus when targeting cryptocurrency exchanges and related entities in the past.

This malware is known for helping its operators perform system reconnaissance tasks, run arbitrary commands on infected devices, and exfiltrating stolen data.

Old malware repurposed for cyber-espionage

The Lazarus Group (also tracked as HIDDEN COBRA by the United States Intelligence Community) is a military hacking group backed by the Democratic People’s Republic of Korea and active since at least 2009.

They are known for targeting high-profile organizations such as Sony Films in Operation Blockbuster and multiple banks worldwide and for coordinating the 2017 global WannaCry ransomware campaign.

More recently, Google spotted Lazarus in January while targeting security researchers in social engineering attacks using elaborate fake “security researcher” social media personas and in a similar campaign in March.

The same month, they also used a previously undocumented backdoor dubbed ThreatNeedle in a large-scale cyber-espionage campaign targeting the defense industry of over a dozen countries.

In June, Kaspersky researchers also saw Lazarus deploying their MATA malware framework that in cyber-espionage campaigns.

MATA can target Windows, Linux, and macOS, and Lazarus previously used it in 2020 for data exfiltration in ransomware attacks.

Also Read: 7 Phases Of Data Life Cycle Every Business Must Be Informed

“These recent developments highlight two things: Lazarus remains interested in the defense industry and is also looking to expand its capabilities with supply chain attacks,” said Ariel Jungheit, a senior security researcher at Kaspersky.

“When carried out successfully, supply chain attacks can cause devastating results, affecting much more than one organization – something we saw clearly with the SolarWinds attack last year.”

The U.S. Treasury sanctions three DPRK-sponsored hacking groups (Lazarus, Bluenoroff, and Andariel) in September 2019.

The U.S. government also offers a reward of up to $5 million for info on DPRK hackers’ cyber activity to help disrupt their activities or identify or locate North Korean threat actors.