He is everywhere: A tale of Lazarus and his family

Transcript

1. 2023-10-17, @lazarusholic JeongGak Lyu, Financial Security Institute He is everywhere

   A tale of Lazarus and his family

2. Who are Lazarus and his family? • Behind Infamous Cyber

   Incidents • Democratic People's Republic of Korea(DPRK, North Korea) stated- sponsored Threat Actors • Most Wanted Threat Actors in the World

3. # of posts by year     

                  

4. Top 10 authors     "IOMBC &454FDVSJUZ ,BTQFSTLZ

   /4)$ 64$*4" ,3$&35 2JIPP 4BLBJ &4&5 )BVSJ

5. Lazarus by the numbers Aliases (Associated Groups) 143 Posts Authors

   Notable Activities 1,638 329 109 Victim Countries 57

6. MISP Threat Actor Galaxy https://www.misp-project.org/galaxy.html

7. MITRE ATT&CK Groups %13,
   5ISFBU
   "DUPST ( -B[BSVT
   (SPVQ -BCZSJOUI
   $IPMMJNB )JEEFO
   $PCSB (VBSEJBOT
   PG
   1FBDF

   ;*/$ /JDLFM
   "DBEFNZ "15 ( 3JDPDIFU
   $IPMMJNB *OLZ4RVJE 4DBS$SVGU 3FBQFS (SPVQ 5&.13FBQFS "15 ( 4UBSEVTU
   $IPMMJNB #FBHMF#PZ[ #MVF/PSPGG /JDLFM
   (MBETUPOF ,JNTVLZ ( 7FMWFU
   $IPMMJNB 5IBMMJVN #MBDL
   #BOTIFF 4UPMFO
   1FODJM "OEBSJFM ( 4JMFOU
   $IPMMJNB https://attack.mitre.org/groups/

8. Mandiant ,*. 3(# 5&.1)FSNJU "15 "15 "OEBSJFM .JOJTUSZ
   PG
   4UBUVF
   4FDVSJUZ "15

   0GGJDF
    
   3FTFBSDI 
   3FTFBSDI SE
   #VSFBV 3(# "OEBSJFM ,JNTVLZ -B[BSVT ,*. UN Security Council https://www.mandiant.com/resources/mapping-dprk-groups-to-government https://www.mandiant.com/resources/blog/north-korea-cyber-structure-alignment-2023 https://undocs.org/Home/Mobile?FinalSymbol=S%2F2023%2F171 ,*. 3(# "OEBSJFM 5&.1)FSNJU "15 #VSFBV
    -BC
    SE
   #VSFBV $FSJVN ,JNTVLZ UI
   #VSFBV .JOJTUSZ
   PG
   4UBUVF
   4FDVSJUZ "15

9. Naming conventions: Simple • Qihoo360: APT-C-[N] • Cisco Talos: Group[N]

   • Elastic: REF[N] • IBM: ITG[N], Hive[N] • Mandiant: APT[N], UNC[N] • Microsoft: Element Name(Deprecated) • NSHC: Sector[A][N] • Proofpoint: TA[N] • Recorded Future: TAG-[N] • Secureworks: CTG-[N] • Thales Group: ATK[N] • Qianxin: APT-Q-[N]

10. Naming conventions: State-sponsored China DPRK Iran Russia Crowd Strike Panda

    Chollima Kitten Bear Microsoft Typhoon Sleet Sandstrom Blizzard NSHC SectorB SectorA SectorD SectorC Paloalto Networks Taurus Pisces Serpens Ursa PWC Red Black Yellow Blue Secureworks Bronze Nickel Cobalt Iron

11. Naming conventions: DPRK • Ahnlab: Red [Dot | Eyes] •

    CrowdStrike: [Labyrinth | Ricochet | Silent | Startdust | Velvet] Chollima • KRCERT: Red [Carpet | Kim | Light] • Microsoft: [Citrine | Diamond | Emerald | Jade | Onyx | Opal | Pearl | Ruby | Sapphire] Sleet • NSHC: SectorA[01 - 07] • Paloalto Networks: [Crooked | Moldy | Selective] Pisces • PWC: Black [Alicanto | Artemis | Banshee | Dev2 | Shoggoth] • Secureworks: Nickel [Academy | Foxcroft | Hyatt | Kimball]

12. Lazarus, and his family #MVF/PSPGG ,JNTVLZ "OEBSJFM ,POOJ 4DBS$SVGU -B[BSVT

13. Lazarus, G0032 • Named by Novetta, 2016-02-24 - Presumably a

    ff ected by “God’s Apostles” in operation Blockbuster - Returned from the dead in the Bible • Represent the entire DPRK threat actor

14. ScarCurft, APT37, G0067 • Named by Kaspersky, 2016-06-17 - Variations

    on the malware repository domain, “scarcroft[.]net” • Targeted the North Korean defectors

15. BlueNoroff, APT38, G0082 • Named by Kaspersky, 2017-04-03 - Variations

    on the malware fi lename, “nro ff _b.exe” in Bangladesh Central Bank Heist • Follow the money

16. Kimsuky, APT43, G0094 • Named by Kaspersky, 2013-09-11 - Russianized

    version of the email sender name, “kimsukyang”(ӣࣼন) - Initially announced as an operation code name • “The king of the spear-phishing”

17. Andariel, G0138 • Named by FSI, 2017-07-27 - The act

    1 boss character in the game, Diablo II • Exploit centralized management software • Targeted U.S. healthcare with ransomware

18. Konni • Named by Cisco Talos, 2017-05-03 - Initially Introduce

    as a malware family name • Spear phishing targeting South Korea

19. Notable activities ,,/1
    .',
    #JUQPJOU
    %SBHPO&Y
    #BOL
    PG
    7BMFUUB 2009 2010 2023

    2021 2011 2012 2013 2014 2022 2015 2016 2017 2018 2019 2020 
    %%P4 
    %%P4 
    $ZCFS
    5FSSPS
    
    $ZCFS
    5FSSPS 4POZ
    1JDUVSFT
    &OU 4FPVM
    .FUSP
    ,)/1 #BOHMBEFTI
    $FOUSBM
    #BOL
    4UBOEBSE
    #BOL
    $/#7
    ,/'
    6OJPO
    #BOL
    #BODP
    3FQVCMJDB
    "L#BOL *OJUFDI
    *OUFSQBSL
    %4.&
    4,)BOKJO
    %FGFOTF
    /FUXPSL 8BOOB$SZ
    3BOTPNXBSF
    /*$
    "TJB
    #BOL
    )FSNFT
    3BOTPNXBSF
    '&*#
    .BSJOF
    $IBJO
    /JDF)BTI
    $FOUSBM
    "NFSJDBO
    0OMJOF
    $BTJOP #JUIVNC
    
    $IPOHIP
    &BTZDBTI
    :BQJ[PO
    -BCPS
    6OJPOT
    :BQJ[PO:PVCJU
    )BOBUPVS
    6OLOPXO
    104
    $PJOJT 'BTU$BTI
    $PJO$IFDL
    3FECBOD
    #BOL*TMBNJ
    )4#$
    .BMUB
    ;BJG
    $PTNPT
    #BOL
    #BOP
    EF
    $IJMF
    .FUSPMJOY #BOL
    3BLZBU
    7)%
    3BOTPNXBSF
    'BTU$BTI
    
    &UFSCBTF
    ,V$PJO ,"&3*
    ,"*
    4/6)
    %4.& $9
    "UPNJD8BMMFU
    +VNQ$MPVE
    "MQIBQP
    $PJOT1BE
    4UBLFDPN
    $PJO&Y
    )MZ(ITU
    3BOTPNXBSF
    .BVJ
    3BOTPNXBSF
    "YJF
    *OGJOJUZ
    )BSNPOZ
    #SJEHF
    2VCJU
    'JOBODF %"1"
    4FKPOH
    *OTUJUVUF
    #JUIVNC
    34VQQPSU
    8BWF4USJOH
    (#/,$FOUFS #JUIVNC
    .BSLBOZ
    
    6QCJU #BODP
    EFM
    "VTUSP
    5JFO
    1IPOH
    #BOL +PPOHBOHJMCP -JRVJE ,".4
    )%"$
    8J[7FSB /)#BOL

20. Notable activities by motivation 0 10 20 30 2009 2010

    2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 Destruction Espionage DataBreach FinancialGain Wateringhole SupplyChain

21. Worldmap Others 55% Viet Nam 2% India 5% Japan 5%

    United States 8% Korea, Republic of 25%

22. Their favorites • Initial Access - T1195 Supply Chain Compromise

    - T1189 Drive-by Compromise - T1566 Phishing • Lateral Movement - T1210 Exploitation of Remote Services

23. @lazarusholic https://lazarus.day Is he everywhere? Background Images: Unsplash Marek Piwnicki