Who is Lazarus? North Korea's Newest Cybercrime Collective

The term "Lazarus" has commonly been associated with entities that have been reanimated, with biological organisms that had died, but somehow, came back to life. The most popular figure of the same name is the biblical Lazarus, a man Jesus raised from the dead.

The Lazarus that will be discussed in this article isn't the one whom rose from the dead, no. The Lazarus as is known today is a North Korean cyber collective that has, according to Symantec, targeted high-profile organizations in 31 different countries, including Sony and the Bangladesh Bank with the North Korean government's blessing. This 21st century blessing of Lazarus is a little different from the biblical telling.

This is major cybersecurity news; a hostile foreign government is working tirelessly to disrupt the reputation and economic stability of other countries, including South Korea and Poland.

How is the hacking collective accessing the private data of foreign organizations? Lazarus is using a watering hole attack, this is when loader software installs malware on websites. The malware, Dark Matter writes, "is used to attack only particular IP addresses that belong to residents of 31 countries and from 104 specific organizations."

This is not the first time Lazarus has been found responsible for committing cybercrime at the behest of the North Korean government. Lazarus has been an active cyber collective since as far back 2009. Perhaps its memorable hack came in 2014, when Lazarus hacked Sony Pictures Entertainment, costing the company over $35 million in IT repairs, not to mention a significant hit to its reputation.

At the time of the Sony hack, the hackers were called \"Guardians of Peace.\" Since then, it has been learned that these "Guardians of Peace" were in fact made up of Lazarus members, hence their new name Lazarus: "[the collective] seems to rise up with new identities for different campaigns." Other monikers the Lazarus cyber collective has toted include:

− IsOne − WhoIs Team − NewRomanic Cyber Army Team

As reported by the Washington Post, after the hacking collective issues an attack and gleans the data they need, they disappear. In the beginning, this led the cybersecurity community to believe these cyberattacks were being committed by different groups until investigations proved otherwise. Each of the cybercrime rings used the same tools used to crack an organization's server.

After the cyberattack commenced, the group would retreat into the darkness, not to be heard from ever again, or so it was thought. By following their cyberwar trail and deciphering the tool usage, cybersecurity researchers learned that these different cyber collectives were actually one and the same. The dead giveaway was Lazarus' reuse of malware code. According to one researcher, \"these aren't pieces of malware that are being shared on underground forums-these are very well guarded codebases that haven't leaked out or been around publicly.\"

Though some of the cyberattacks initiated by the hacking collective were to extort money, others were to garner intel and surveil organizations.

Every hacking collective has their own M.O., but the end is always the same: the meltdown of an organization. To make sure your company is on the up-and-up on cybersecurity, visit CyberPolicy.

© 2016-2020 CyberPolicy, Inc. All rights reserved. CyberPolicy®, "Plan. Prevent. Insure."™, and "CyberCheckup"™ are trademarks of CyberPolicy, Inc.
DBA: CyberPolicy Insurance Solutions CA License No. 0L13180
DBA: CoverHound Insurance Solutions CA License No. 0H52375