A North Korean State-Sponsored Cyber-attack Campaign Uncovered
Security researchers have uncovered a cyber-attack campaign by the North Korean Lazarus Group targeting medical research, energy, and other organizations in an effort to gain intelligence information.
The incident began at the end of August when attackers exploited unknown vulnerabilities in an unpatched Zimbra mail server, leading to the exfiltration of many gigabytes of data. In the following weeks, the attackers moved laterally across the network and used living-off-the-land (LotL) techniques to gain access. By November, the attackers were exfiltrating almost 100GB of data and connecting to Cobalt Strike command-and-control (C2) infrastructure.
“This was initially suspected to be an attempted BianLian ransomware attack,” says Sami Ruohonen, senior threat intelligence researcher for WithSecure. “The evidence we collected quickly pointed in a different direction. And as we collected more, we became more confident that the attack was conducted by a group connected to the North Korean government, eventually leading us to confidently conclude it was the Lazarus Group.”
No Pineapple!
The researchers named the incident “No Pineapple” due to an error message appended to the backdoor used by the attackers. They also discovered an attacker-controlled Web shell that for a short time connected to an IP address belonging to North Korea, revealing a key operational security (OpSec) slip-up by the Lazarus crew.
Other victims included a healthcare research company; a manufacturer of technology used in energy, research, defense, and healthcare verticals; and a chemical engineering department at a leading research university. The infrastructure observed by the researchers has been established since May 2021, with most of the breaches observed taking place in the third quarter of 2022.
Lazarus is a long-running threat group widely thought to be run by North Korea’s Foreign Intelligence and Reconnaissance Bureau. In 2022, numerous reports emerged of advanced attacks from Lazarus that included targeting of Apple’s M1 chip, as well as fake job posting scams. Last week, the FBI confirmed Lazarus Group threat actors were responsible for the theft of $100 million of virtual currency from the cross-chain communication system from the blockchain firm Harmony.
The motives of the Lazarus Group are both financial and espionage-related. WithSecure researchers believe the threat actor was intentionally targeting the supply chain of the medical research and energy verticals.