Lazarus Group: The Lazarus Group, a formidable cybercrime syndicate linked to North Korea, has been aggressively extending its reach into the cryptocurrency and blockchain sector having stolen over $3 Billion worth of crypto in the past 6 years. Known for their sophistication and resilience, the group’s attacks on crypto entities demonstrate their evolving tactics and techniques, showcasing a complex arsenal designed to disrupt and steal with precision.
In the past year Lazarus has already been identified as responsible for stealing almost $240 million in cryptoassets from Atomic Wallet ($100 million) CoinsPaid ($37.3 million), Alphapo ($60 million), and Stake.com ($41 million).
In 2022, the notorious Lazarus Group was implicated in several significant hacks, notably the breaches of Harmony’s Horizon Bridge and Axie Infinity’s Ronin Bridge, both occurring in the year’s first half. Following these high-profile attacks, Lazarus seemingly went quiet, with no major crypto heists publicly attributed to them until mid-2023. However, recent events indicate a resurgence in their activities.
Atomic Wallet Breach
On June 3, 2023, users of Atomic Wallet, a non-custodial decentralized cryptocurrency wallet, experienced losses exceeding $100 million. By June 6, blockchain analysis firm Elliptic had linked this hack to Lazarus, identifying multiple indicators pointing to the North Korean group. This attribution was subsequently confirmed by the FBI, reinforcing the group’s involvement.
CoinsPaid Compromise
July 22, 2023, marked another critical incident when Lazarus successfully executed a social engineering attack on the crypto payment platform CoinsPaid. This breach allowed the attackers to make authorized withdrawal requests, resulting in the theft of approximately $37.3 million in crypto assets. CoinsPaid’s own report, published on July 26, pointed to Lazarus as the culprits, a claim later corroborated by the FBI.
Alphapo Attack
On the same day, July 22, Lazarus orchestrated another significant heist targeting Alphapo, a centralized crypto payment provider. The attackers made off with $60 million in crypto assets, likely exploiting previously compromised private keys. The FBI’s subsequent investigation confirmed Lazarus’s role in this attack as well.
Stake.com Heist
On September 4, 2023, the online crypto casino Stake.com fell victim to an attack that saw around $41 million in virtual currency stolen. The breach was potentially facilitated by a stolen private key. The FBI confirmed Lazarus’s involvement in a press release issued on September 6, highlighting the group’s ongoing threat to the crypto sector.
CoinEx Breach
Finally, on September 12, 2023, the centralized crypto exchange CoinEx was hacked, resulting in $54 million being stolen. Multiple indicators, consistent with Lazarus’s modus operandi, pointed to their involvement in this attack.
One of the group’s significant forays into the cryptocurrency space was Operation AppleJeus. This operation targeted cryptocurrency exchanges and trading platforms worldwide. The attack began with a fake cryptocurrency trading application called Celas Trade Pro. Once users downloaded the app, it installed a Trojanized version of a legitimate software, allowing Lazarus to gain control over the infected systems.
Methodology: Lazarus used spear-phishing emails to lure victims into downloading the malware. The malicious software was capable of bypassing macOS defenses by using a valid Apple developer certificate, making it particularly insidious .
In another sophisticated operation, Lazarus Group launched the TraderTraitor campaign, targeting blockchain and cryptocurrency companies with malicious applications posing as tools for trading and portfolio management.
Tools Used:
TokenAIS and CryptAIS: These applications, disguised as AI-based trading tools, contained malicious code that would steal user credentials and other sensitive information. The malware used Node.js functions to communicate with command-and-control (C2) servers, decrypt responses, and execute malicious commands on infected systems .
3. AlticGO: Packaged as an Electron application for Windows, this tool executed similar malicious activities, highlighting Lazarus’s cross-platform attack capabilities.
Lazarus Group employs a variety of sophisticated techniques to execute their attacks:
1. Spear Phishing and Social Engineering:
The initial vector for many Lazarus attacks involves spear-phishing emails designed to deceive recipients into downloading malware or divulging sensitive information. These emails are often tailored to appear as legitimate communications from trusted sources within the targeted industry.
2. Trojanized Software:
Lazarus frequently uses Trojanized versions of legitimate software to gain access to victim systems. By embedding malicious code into seemingly benign applications, they exploit the trust users have in these tools.
3. Exploitation of Software Vulnerabilities:
The group is known for exploiting unpatched vulnerabilities in widely-used software. For example, they exploited a vulnerability in Zoho’s ManageEngine ServiceDesk to compromise corporate networks in their latest campaigns .
4. Command-and-Control (C2) Servers:
Lazarus maintains a robust C2 infrastructure to manage their malware. These servers communicate with infected systems, issuing commands and extracting stolen data. Despite being well-documented by security researchers, Lazarus continues to reuse much of the same infrastructure, indicating confidence in their operational security and obfuscation techniques .
5. Custom Malware and Tools:
The group uses a variety of custom malware, including Remote Access Trojans (RATs) and data exfiltration tools. Examples include QuiteRAT, MagicRAT, and DeimosC2, all of which have been linked to Lazarus through shared infrastructure and coding similarities .
6. False Flags and Misdirection:
To evade detection and attribution, Lazarus often employs false flags in their operations. They may leave behind misleading clues, such as using Romanized Russian words in their malware, to divert investigators from their true origins .
HYDN's Advanced Adversarial Simulation service enables companies to simulate a tailored attack aimed at circumventing traditional network controls. HYDN's team uses the same tactics, tools, techniques and mindsets as attackers such as Lazarus Group to uncover weaknesses and help you fix vulnerabilities. With HYDN, you can stay ahead of attackers and protect you and your customers valuable data.
HYDN use stealth and evasion techniques to compromise your organization and achieve predetermined goals. After the simulation, our red team will provide a full debrief including an explanation of the processes used, along with recommendations to close gaps.
To protect against Lazarus Group’s attacks, organizations in the crypto and blockchain sectors should adopt comprehensive cybersecurity measures:
• Regular Software Updates: Ensure all software and operating systems are up-to-date with the latest patches to mitigate known vulnerabilities.
• Network Monitoring: Deploy advanced network monitoring solutions to detect unusual activities and potential intrusions.
• Endpoint Security: Implement robust endpoint security solutions capable of detecting and blocking malware.
• Employee Training: Conduct regular training sessions to educate employees about the dangers of spear-phishing and social engineering tactics.
• Incident Response Planning: Develop and maintain an incident response plan to quickly address any security breaches.
The Lazarus Group’s incursions into the cryptocurrency and blockchain space underscore the need for heightened vigilance and robust cybersecurity practices. As they continue to refine their methods and expand their reach, it is crucial for organizations to stay informed and prepared to defend against these persistent and sophisticated threats. By understanding their tactics and implementing comprehensive security measures, the crypto industry can better protect itself against the ongoing menace posed by Lazarus Group.