North Korean attackers out themselves with operational security fail

Press Release  |  February 2, 2023

WithSecure™ researchers link intelligence-gathering campaign targeting medical research and energy organizations back to North Korea’s Lazarus Group.

Helsinki, Finland – February 2, 2023: Thanks in part to an operational security error by an attacker, security researchers from WithSecure™ (formerly known as F-Secure Business) have linked a cyber attack campaign back to North Korea’s notorious Lazarus Group.

Lazarus Group is an advanced persistent threat (APT) that’s widely believed to be a part of North Korea’s Foreign Intelligence and Reconnaissance Bureau. Researchers discovered the group's latest campaign after a suspected ransomware attack was detected at an organization protected by the WithSecure™ Elements cloud-native security platform.

Upon investigating the attack, WithSecure™ researchers uncovered more evidence indicating that the attack was part of a larger intelligence-gathering campaign rather than a ransomware incident.

Based on the collected evidence, the researchers were able to link the campaign to Lazarus Group, who was targeting medical research and energy organizations with the intent to commit espionage.

Specific targets of the campaign identified by the researchers included a healthcare research organization, a manufacturer of technology used in the energy, research, defense, and healthcare sectors, as well as the chemical engineering department of a leading research university.

“While this was initially suspected to be an attempted BianLian ransomware attack, the evidence we collected quickly pointed in a different direction. And as we collected more evidence we became more confident that the attack was conducted by a group connected to the North Korean government, eventually leading us to confidently conclude it was the Lazarus Group,” said WithSecure™ Senior Threat Intelligence Researcher Sami Ruohonen.

“During our investigation we found that this was part of a larger campaign with expanded targeting, not just an isolated incident, and it is extremely unusual to be able to link a campaign so strongly to a perpetrator as we have been able to here,” added WithSecure™ Senior Threat Intelligence Analyst Stephen Robinson.

WithSecure™ researchers were able to connect the campaign to Lazarus Group based on its use of tactics, techniques, and procedures used in previous attacks by the group and other attackers associated with North Korea.

The researchers found several noteworthy developments in this campaign when compared to previous Lazarus Group activity, including:

  • The use of new infrastructure, including the sole reliance of IP addresses without domain names (in a departure from previous attacks).
  • A modified version of the Dtrack information stealing malware used by Lazarus Group and Kimsuky (another group associated with North Korea) in previous attacks.
  • A new version of GREASE–malware that allows attackers to create new administrator accounts with remote desktop protocol privileges that bypasses firewalls.

One notable piece of evidence discovered by researchers was that the attackers briefly made use of one of less than a thousand IP addresses belonging to North Korea. That IP address was observed connecting to an attacker-controlled webshell for a short time, leading researchers to suspect it was a manual error made by a member of the group.

However, mistakes like this should not be misinterpreted by defenders as grounds to lower their guard, according to WithSecure™ Head of Threat Intelligence Tim West

“In spite of the opsec fails, the actor demonstrated good tradecraft and still managed to perform considered actions on carefully selected endpoints. Even with accurate endpoint detection technologies, organizations need to continually consider how they respond to alerts, and also integrate focused threat intelligence with regular hunts to provide better defense in depth, particularly against capable and adept adversaries,” he said.  

The full research is now available at https://labs.withsecure.com/publications/no-pineapple-dprk-targeting-of-medical-research-and-technology-sector.

WithSecure™ media relations
Adam Pilkey
+358406378859

About WithSecure™

WithSecure™, formerly F-Secure Business, is cyber security’s reliable partner. IT service providers, MSSPs and businesses – along with the largest financial institutions, manufacturers, and thousands of the world’s most advanced communications and technology providers – trust us for outcome-based cyber security that protects and enables their operations.

Our AI-driven protection secures endpoints and cloud collaboration, and our intelligent detection and response are powered by experts who identify business risks by proactively hunting for threats and confronting live attacks. Our consultants partner with enterprises and tech challengers to build resilience through evidence-based security advice. With more than 30 years of experience in building technology that meets business objectives, we’ve built our portfolio to grow with our partners through flexible commercial models.

WithSecure™ Corporation was founded in 1988, and is listed on NASDAQ OMX Helsinki Ltd.