North Korea-linked advanced persistent threat (APT) groups are considered to be the world’s most advanced threat actors, on par with Russian, Chinese, or Iranian APTs. When conducting their operations, North Korean state-backed hackers leverage a wide array of sophisticated techniques, including the exploitation of zero-day vulnerabilities, the use of custom malware tools, as well as destructive malware and ransomware, and clever evasion and persistence mechanisms in order to fly under radar.

Lazarus Group is, perhaps, the best-known APT group linked to North Korea. Active since at least 2009 (and potentially as early as 2007), the group is thought to be behind many high-profile cyberattacks between 2010 and 2021, including $81 million heist from Bangladesh’s central bank, the 2014 destructive viper attack on Sony Pictures Entertainment, the 2017 WannaCry ransomware outbreak, a long-running campaign against South Korean organizations, and more.

Lazarus Group is also known as Guardians of Peace, Whois Team, and Hidden Cobra, although it should be noted that the US intelligence agencies use the moniker Hidden Cobra to refer to malicious cyber activities by the North Korean government in general. The group is believed to have ties with North Korean government’s Reconnaissance General Bureau.

Originally a cybercrime collective, Lazarus has become a formidable cyber-adversary over time due to its constantly evolving TTPs (tactics, techniques, and procedures) and malware arsenal.

The earliest possible attack that can be attributed to this group is the “Operation Flame” which was a large-scale DDoS attack on South Korean government’s website in 2007.

The Lazarus group was first identified in 2016 Novetta’s report detailing “Operation Blockbuster” - an investigation into the 2014 Sony hack conducted in collaboration with Kaspersky Lab, AlienVault, Symantec, Invincea, ThreatConnect, Volexity, and PunchCyber. During the investigation the researchers discovered over 40 different malware families. They were able to link the malware and attackers’ modus operandi to cyberespionage campaign known as “Operation Troy” in 2009, in which threat actors posing as hacktivists launched DDoS and data destruction attacks on major South Korean banks, media outlets, and other entities to cover the theft of South Korean and the US military secrets.

The analysis also revealed links based on patterns of code re-usage to Operation 1Mission\DarkSeoul, which targeted banks and media in South Korea in 2013, as well as other attacks against South Korea, the US, Japan, China, and Taiwan.

Lazarus is also thought to be responsible for the widespread WannaCry (WCry) ransomware attack in 2017 that affected over 300,000 computers across 150 countries, with many of them belonging to government agencies, hospitals, and private businesses, including UK’s National Health Service, Spain-based Telefonica, US’ FedEx, German railway company Deutsche Bahn, LATAM Airlines, and other entities.

WannaCry is a crypto ransomware worm that targets Windows PCs, which is able to spread from computer to computer across the network. The 2017 WannaCry ransomware attack exploited an old vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol, which was first discovered and reportedly exploited by the US National Security Agency. Dubbed EternalBlue, the exploit was eventually leaked by the hacker group known as “The Shadow Brokers” in April 2017, and a month later, in May, it was used by threat actors as a means to compromise computers on a network and deploy the WannaCry ransomware. The malware then used a backdoor tool called DoublePulsar to install and execute itself.

In February 2021, three North Korean computer programmers were indicted by the US authorities for their role in creating and distributing the WannaCry ransomware.

In the past, Lazarus was mainly focused on a number of industry verticals, such as government, military, financial, media, entertainment, and critical infrastructure, but since the start of COVID-19 pandemic pharmaceutical companies became major targets for the group. For example, in November 2020 it was revealed that suspected North Korean hackers attempted to breach computer systems of British COVID-19 vaccine manufacturer AstraZeneca.

At present, it’s unclear how many groups are operating under the Lazarus Group umbrella, because North Korean threat actors often share code, infrastructure and malicious tools. Due to this, some organizations use the moniker Lazarus Group to refer to any activity attributed to North Korea, while other security researchers track clusters (AppleJeus, ThreatNeedle, DeathNote) and subgroups (Bluenoroff, Andariel) associated with the country separately.

Bluenoroff, aka APT38 (Mandiant), Stardust Chollima (Crowdstrike), BeagleBoyz, and Nickel Gladstone, is believed to be a unit of Lazarus that specializes in financially motivated cybercrime, and is allegedly responsible for a wide array of cyber thefts, including the 2016 Bangladesh bank robbery.

The malware associated with the group include the DarkComet RAT, Mimikatz, Net, Nestegg, Macktruck, WannaCry, WhiteOut, Quickcafe, Rawhide, Smotthride, TightVNC, Sorrybrute, Keylime, Snapshot, Mapmaker, net.exe, sysmon, Bootwreck, Cleantoad, Closeshave, Dyepack, the Hermes ransomware, TwoPence, Electricfish, PowerRatankba, PowerSpritz and other tools.

The group typically uses a variety of techniques when conducting their cyber operations. These include phishing, brute force, backdoors, drive-by compromise, watering hole attacks, exploitation of vulnerabilities in insecure old versions of Apache Struts 2, as well as hacking into Linux servers.

The Andariel (Silent Chollima, Dark Seoul, Rifle, Wassonite) subgroup is focused on targeting South Korean organizations and businesses, as well as military agencies, defense industries, political organizations, security companies, ICT companies, and energy research institutes, ATMs, banks, travel agencies, cryptocurrency exchanges, and online gambling users.

The group was observed using a variety of tools and tactics in their operations, such as DDoS attacks and wipers, misdirection techniques (campaigns disguised as hacktivist attacks, or a “false flag” scenario), spear-phishing, supply-chain attacks, watering hole attacks exploiting Active-X vulnerabilities, exploitation of vulnerabilities in security and IT asset management systems.

Andariel’s malware arsenal includes well-known backdoors, such as Aryan and Gh0st RAT, and in-house developed backdoors like Andarat, Andaratm, Rifdoor, and Phandoor.