North Korean hackers shift focus for the first time toward Russian targets: Report

February 20, 2019

Hackers linked to the North Korean government have surprised researchers by shifting their attention toward targets in Russia, an Israel cybersecurity company reported Tuesday.

Check Point, a Tel Aviv-based firm that published the report, said its researchers recently became aware of suspicious activity directed against Russian-based companies bearing several hallmarks associated with the Lazarus Group, an advanced persistent threat (APT) group previously linked to several major breaches blamed on North Korea.

“For the first time we were observing what seemed to be a coordinated North Korean attack against Russian entities,” Check Point said in a blog post.

“While attributing attacks to a certain threat group or another is problematic, the analysis below reveals intrinsic connections to the tactics, techniques and tools used by the North Korean APT group,” the report said.

The FBI has described Lazarus Group as a “government-sponsored hacking team” responsible for conducting cyber operations in support of the North Korean government, and federal prosecutors have previously accused its members of malicious activity including the 2014 breach of Sony Pictures Entertainment, to the WannaCry virus unleashed worldwide in 2017.

“This incident, however, represents an unusual choice of victim by the North Korean threat actor,” the Crowd Strike report noted. “Usually, these attacks reflect the geopolitical tensions between [North Korea’ and nations such as the U.S, Japan and South Korea. In this case, though, it is probably Russian organizations who are the targets.”

Crowd Strike said it became aware of the connection while monitoring malicious Microsoft Office documents that were designed specifically for Russian victims and were recently uploaded from Russia to VirusTotal, a website that scans files for bugs. Analysis of the documents subsequently revealed that they had been maliciously crafted to automatically install malware previously used by the North Korean hacking group.

Known as “KEYMARBLE,” the U.S. Department of Homeland Security previously said the malware is capable of allowing hackers to remotely execute commands on infected computers and exfiltrate data.

North Korean government officials have previously denied responsibility for attacks attributed to the Lazarus Group, also known as Hidden Cobra.In addition to the Sony breach and WannaCry worm, the FBI has previously connected the Lazarus Group to hacks including an electronic heist that allegedly allowed North Korea to steal $81 million from the central bank of Bangladesh.

FireEye, a U.S. cybersecurity firm, subsequently linked the same hacking group to similar stunts that breached 16 victims in 11 countries over a recent span of four years.

Han Yong Song, an official at the North Korean Ministry of Foreign Affairs, previously called the FBI’s allegations about the Lazarus Group “a vicious slander and another smear campaign full of falsehood and fabrication.”