A new cyber espionage campaign targeting US, Canadian, and Japanese energy providers has been linked to the North Korean state-sponsored Lazarus hacking group, according to security researchers.
Cisco Talos, a threat intelligence company, announced Thursday that Lazarus, also known as APT38, was observed targeting unidentified energy providers in the United States, Canada, and Japan between February and July of this year.
According to Cisco's findings, the hackers exploited a year-old Log4j vulnerability known as Log4Shell to compromise internet-exposed VMware Horizon servers in order to gain an initial foothold on a victim's enterprise network before deploying bespoke malware known as "VSingle" and "YamaBot" to gain long-term persistent access.
Japan's national cyber emergency response team, known as CERT, recently linked YamaBot to the Lazarus APT. Symantec first disclosed information of this espionage campaign in April of this year, attributing the operation to "Stonefly," another North Korean hacking group with some overlaps with Lazarus.
However, Cisco Talos discovered a previously unknown remote access trojan (RAT) called "MagicRAT," which is attributed to the Lazarus Group and is used by hackers for reconnaissance and credential theft.
Talos researchers Jung soo An, Asheer Malhotra, and Vitor Ventura, “The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives. This activity aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property.”
However, in recent months, the group has shifted its focus to blockchain and cryptocurrency organisations. It has been associated with the recent thefts of $100 million in cryptocurrency from Harmony's Horizon Bridge and $625 million in cryptocurrency from the Ronin Network, an Ethereum-based sidechain created for the popular play-to-earn game Axie Infinity.
Pyongyang has long used stolen cryptocurrency and information theft to finance its nuclear weapons programme. In July, the United States offered a $10 million reward for data on members of state-sponsored North Korean threat groups, including Lazarus, more than doubling the amount previously offered. The State Department made the announcement in April.
The Lazarus Group is a North Korean-backed hacking organisation best known for the high-profile Sony hack in 2016 and the WannaCry ransomware attack in 2017. Lazarus is also motivated by efforts to support North Korea's state objectives, such as military R&D and evasion of international sanctions.
