Analysts expect Lazarus Group to evolve, clean up opsec

In crossing the threshold of unmasking an alleged Lazarus Group member, the Justice Department showed the efficacy of combining private digital forensics with the long arm of the law.
Kim Il-Sung Square, Pyongyang North Korea

In crossing the threshold of unmasking an alleged Lazarus Group member last week, the Department of Justice showed the efficacy of combining private digital forensics with the long arm of the law. Yet if history is any guide, experts say outing the alleged hacker will do little to curb North Korea’s behavior. Instead, researchers believe the group will clean up its operational security and continue to evolve.

In the years that Eric Chien, technical director of Symantec’s Security Response, has been tracking the Pyongyang-linked hacking group, “all we’ve seen is an escalation,” he said. “They’ve only gotten more bold and more experienced in their attacks.”

The charges announced Thursday by the Justice Department against North Korean computer programmer Park Jin Hyok showed slip-ups in Park’s operational security, known colloquially as OPSEC. For example, investigators were able to correlate email accounts apparently used by Park’s front company in China to spearphishing and reconnaissance conducted ahead of some of Lazarus’s alleged hacking operations.

U.S. officials tied Park’s work to the infamous 2014 hack of Sony Pictures and 2017 WannaCry ransomware outbreak.


The exposure of the Lazarus-linked email accounts will force the group to set up new infrastructure, according to Chien. “If they’re smart, if they’re reasonable, you would expect that they would basically stop using Hotmail and Gmail accounts,” which could be the subject of search warrants, he added.

Benjamin Read, FireEye’s senior manager for cyber espionage analysis, told CyberScoop that the North Korean hackers have steadily honed their tactics in recent years, and that that evolution will continue. He said the malicious-activity indicators that appear in the complaint have probably been ditched by the group.

“If there’s a domain or a hash that gets published [the group] stops using that,” he said. (FireEye tracks a threat group it calls TEMP.Hermit, which largely overlaps with Lazarus.)

Lazarus has a deep bench

The Justice complaint draws extensively on research from Symantec and Mandiant, FireEye’s incident response unit. While private researchers had used digital forensics to tie the group’s attacks to computer infrastructure in East Asia, revealing the true identity of the hackers had proved elusive.


“People have always believed that the actors themselves were both in places like North Korea and also in China,” Chien said. “But sitting where we are, just looking at zeros and ones inside of binary code, we can’t really see that. We can see the attacks originating from certain machines and certain regions, but that doesn’t mean that the people are physically sitting there.”

Security researchers, after all, don’t have the subpoena power of law enforcement, which proved effective in building a case as FBI agent Nathan Shields was able to access online accounts allegedly used by Park from companies like Google.

Collaboration between U.S. law enforcement and heavyweight cybersecurity companies will continue to be crucial in pursuing criminal hacking charges. But effectively deterring a group as brazen as Lazarus is another story.

Neither Read nor Chien expected the North Korean hackers to tone down their activity in response to the Justice Department complaint. There was no downturn in hacking after the United States blamed North Korea for the destructive attack on Sony Pictures and for the WannaCry ransomware, according to researchers.

In terms of putting a dent in Lazarus’s operations, the charges will do little. It is unlikely that Park will ever see the inside of a U.S. courtroom. And there could be many more hackers like Park in the group: Chien estimated that Lazarus’s ranks are in the “low hundreds” in terms of personnel.


It might take less high-profile acts than criminal charges to frustrate Lazarus. The group does not use the most sophisticated tools on the market, and patching known vulnerabilities could help thwart some of their activity.

“On the technical side, these guys aren’t the most advanced,” Chien said. “We definitely see [nation-state groups] that are head and shoulders above what these guys are doing.”

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts