Considered to be one of the largest and most successful cyber heists ever, Kaspersky said there is a “high chance” that the attacks were conducted by Lazarus, a North Korea-linked hacking group responsible for a series of regular and destructive attacks, including the devastating attack against Sony Pictures in late 2014.
On Monday at Kaspersky Lab’s Security Analyst Summit in St. Maarten, the Moscow-based security firm shared its findings on the malicious tools the group uses and how it operates.
The company also said that it managed to disrupt other potential Lazarus operations attempting to steal funds from unnamed banks in Southeast Asia and Europe.
While Kaspersky’s team believes Lazarus to be large group focused on infiltration and espionage operations, the company said a “substantially smaller” unit within the group responsible for financial profit exists, which they have dubbed Bluenoroff.
In February, researchers discovered an attack aimed at banks in Poland that were linked back to Lazarus. As part of the operation, the attackers hijacked the website of the Polish Financial Supervision Authority (knf.gov.pl) so malware would be served to its visitors.
Since December 2015, Kaspersky Lab was able to detect malware samples relating to Lazarus group activity that appeared in financial institutions, casinos, software developers for investment companies and crypto-currency businesses in Korea, Bangladesh, India, Vietnam, Indonesia, Costa Rica, Malaysia, Poland, Iraq, Ethiopia, Kenya, Nigeria, Uruguay, Gabon, Thailand and several other countries.
Recent forensic analysis conducted by a Kaspersky Lab partner of a C2 server in Europe used by the Lazarus/Bluenoroff group also provided some interesting North Korea-related discoveries.
“Based on the forensic analysis report, the attacker connected to the server via Terminal Services and manually installed an Apache Tomcat server using a local browser, configured it with Java Server Pages and uploaded the JSP script for C2,” Kaspersky Lab’s Global Research & Analysis Team explained. “Once the server was ready, the attacker started testing it. First with a browser, then by running test instances of their backdoor. The operator used multiple IPs: from France to Korea, connecting via proxies and VPN servers. However, one short connection was made from a very unusual IP range, which originates in North Korea.”