Security researchers have linked a new cyber espionage campaign targeting U.S., Canadian and Japanese energy providers to the North Korean state-sponsored Lazarus hacking group.
Threat intelligence company Cisco Talos said Thursday that it has observed Lazarus — also known as APT38 — targeting unnamed energy providers in the United States, Canada and Japan between February and July this year. According to Cisco’s research, the hackers used a year-old vulnerability in Log4j, known as Log4Shell, to compromise internet-exposed VMware Horizon servers to establish an initial foothold onto a victim’s enterprise network, before deploying bespoke malware known as “VSingle” and “YamaBot” to establish long-term persistent access. YamaBot was recently attributed to the Lazarus APT by Japan’s national cyber emergency response team, known as CERT.
Details of this espionage campaign were first revealed by Symantec in April this year, which attributed the operation to “Stonefly,” another North Korean hacking group that has some overlaps with Lazarus.
However, Cisco Talos also observed a previously unknown remote access trojan — or RAT — named “MagicRAT,” attributed to Lazarus Group, which the hackers use for reconnaissance and stealing credentials.
“The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives,” wrote Talos researchers Jung soo An, Asheer Malhotra and Vitor Ventura. “This activity aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property.”
The Lazarus Group is a financially motivated hacking group backed by the North Korean state that is best known for the high-profile Sony hack in 2016 and the WannaCry ransomware attack in 2017. Lazarus is also driven by efforts to support North Korea’s state objectives, including military research and development and evasion of international sanctions.
However, the group has in recent months turned its attention to blockchain and cryptocurrency organizations. It has been linked to the recent theft of $100 million in crypto assets from Harmony’s Horizon Bridge, and the theft of $625 million in cryptocurrency from the Ronin Network, an Ethereum-based sidechain made for the popular play-to-earn game Axie Infinity.
Pyongyang has long used stolen cryptocurrency and the theft of other information to fund its nuclear weapons program.
In July, the U.S. government offered a $10 million reward for information on members of state-sponsored North Korean threat groups, including Lazarus, doubling the amount that the U.S. State Department announced in April.