Advertisement

Hacking tools used by North Korea’s Lazarus Group aimed at Russian targets

Check Point cautions that while it’s “problematic” to definitively pinpoint who’s responsible for such an attack, its “analysis reveals intrinsic connections to the tactics, techniques and tools used by the North Korean APT group[.]”
Lazarus Group, apt37
Pyongyang, North Korea (Pixabay)

One of the United States’ biggest cyber adversaries has been targeting another, according to new research.

Security vendor Check Point Technologies on Tuesday published findings in which its researchers “were observing what seemed to be a coordinated North Korean attack against Russian entities.” The company cautions that it’s “problematic” to definitively pinpoint who’s responsible for such an attack, though “analysis reveals intrinsic connections to the tactics, techniques and tools used by the North Korean APT group[.]”

Lazarus has been blamed for highly publicized attacks on Sony Pictures, the Bangladesh Bank heist, and could be a key part of North Korean efforts to evade international sanctions by pursuing international espionage. The suspicious activity in this attack occurred “over the past few weeks,” the company said.

Check Point said its researchers were tracking malicious Microsoft Office documents that appeared to be designed specifically targeted at Russian victims. A closer inspection of the hacking tools revealed that they were part of KEYMARBLE, a malware family the U.S. Department of Homeland Security described in 2018 as a variant used by the North Korean government.

Advertisement

“This incident … represents an unusual choice of victim by the North Korean threat actor,” Check Point researchers wrote. “Usually, these attacks reflect the geopolitical tension between the DPRK and nations such as the U.S., Japan and South Korea. In this case, though, it is probably Russian organizations who are the targets.”

Hackers typically used a ZIP file containing a PDF document and a Microsoft Word file laced with malware. The Word file used a Microsoft tool known as a VBScript to access a Dropbox URL, and ultimately download a nefarious EXE file. All of the documents had a Korean code page and cited “home” as the author identity.

Check Point did not identify the hacking targets by name, however one file contains a non-disclosure agreement that appears to come from StarForce Technologies, a software company headquartered in Moscow.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts