Lazarus Group is a North Korean state-sponsored cyber threat group linked to the North Korean Reconnaissance General Bureau (RGB). The RGB, established in 2009, is a North Korean intelligence agency responsible for spying, covert operations, and cyber espionage. The RGB has been spending much of its time and attention gathering data and attempting to exfiltrate funds from South Korea, the United States, and Japan. To be clear, the RGB is the primary organization in North Korea responsible for most intelligence activity. Initially, the RGB was responsible for infiltration, raids over the border, and other activities. However, the RGB has evolved to manage Bureau 121, the primary group responsible for cybersecurity. Bureau 121 is one of six bureaus controlled by the RGB.
One of the early attacks by the Lazarus Group was called Operation Troy. Operation Troy used a distributed denial of service attack (DDoS) to disrupt the websites and servers of the South Korean government. In 2014 the Lazarus Group appeared to be responsible for an attack on Sony pictures. On November 24, 2014, a Reddit posting noted that Sony Pictures had been attacked and hacked. At the time, the perpetrators self-identified as the “Guardians of Peace.” Stolen data was leaked, and the Lazarus Group threat actors appeared to have access to unreleased and highly valuable movie and film content, internal emails, and information relating to the more than 4,000 employees on staff at Sony Pictures.
After that, the Lazarus Group stole over $12 million from the Banco del Austro in Ecuador. This attack was rapidly followed by the theft of $1 million from the Vietnam Tien Phong Bank. Banks in India, Poland, and Mexico also fell victim to the Lazarus Group. The attack on Bangladesh Bank netted $81 million for the attack group. Later, in 2017, the Lazarus Group supposedly exfiltrated $60 million in funds from the Far Eastern Bank of Taiwan.
Lazarus Group is believed to have two units. They include BlueNorOff and AndAriel. BlueNorOff, also known as APT38, has about 1,700 members focused on perpetrating financial cybercrime. They go after banks and, more recently, cryptocurrency exchanges hitting over 16 organizations in over 13 countries. Their stolen funds are used to support missile and nuclear technology.
The AndAriel unit more typically targets organizations and financial institutions in South Korea. In addition, AndAriel has about 1,600 members that do reconnaissance work and analyze enemy infrastructure for a potential attack at a later time.
Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.
Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels across many industries and from around the world.
Get started with Bugcrowd
Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.