Don’t let overlooked obligations become incidents. Learn how.
Utility navigation bar redirect icon
Portal LoginSupportBlogContact
Search
Portal LoginSupportBlogContact
Search
Get a Demo
Start for Free
HomeThreat LibraryThreat Actors
Lazarus Group
Threat Actor Profile

Lazarus Group (ATP38)

The Lazarus Group, also referred to as APT38, HIDDEN COBRA, and Guardians of Peace, is a North Korean state-sponsored cybercriminal organization. Operating since at least 2009, Lazarus specializes in a range of malicious activities including financial theft, cyber espionage, and destructive cyberattacks. They have targeted industries such as finance, government, and critical infrastructure, utilizing sophisticated tactics and custom malware.

Threat Actor Profile

Lazarus Group (ATP38)

Country of Origin

Lazarus Group is linked to North Korea and is believed to operate under the Reconnaissance General Bureau, the primary intelligence agency of the Democratic People’s Republic of Korea (DPRK). The group’s activities align with state objectives, including financial gain for an economy burdened by international sanctions and furthering the regime’s political goals.

Members

The Lazarus Group is structured into specialized subgroups for various operations: Andariel focuses on financial theft and ransomware, Bluenoroff targets large-scale financial heists and cryptocurrency, and Kimsuky primarily conducts cyber espionage.

Leadership

The leadership of the Lazarus Group remains largely unidentified. However, it is reportedly governed by North Korea’s Reconnaissance General Bureau. Notably, Park Jin Hyok, a member of the Chosun Expo Joint Venture, was charged in 2018 by the U.S. Department of Justice for his involvement in Lazarus-associated operations.

Lazarus Group TTPs

Tactics

  • Financial theft and fund transfer manipulation, such as SWIFT attacks.

  • Espionage campaigns for collecting confidential data.

  • Disruption through ransomware and wiper malware.

Techniques

  1. Initial Access: Spear-phishing emails and watering hole attacks.

  2. Execution: Use of PowerShell scripts and malicious macros in documents.

  3. Persistence: Scheduled tasks, registry run keys, or custom malware implants.

  4. Privilege Escalation: Exploitation of software vulnerabilities.

  5. Defense Evasion: Fileless malware and disguise as legitimate software.

  6. Credential Access: Keylogging and credential dumping via Mimikatz.

  7. Discovery: Network and system enumeration using tools like Nmap.

  8. Lateral Movement: Pass-the-hash and PsExec for network traversal.

  9. Collection: Data staging and exfiltration tools like RAR archives.

  10. C2 (Command & Control): Use of compromised servers and encrypted channels.

  11. Exfiltration: HTTP/HTTPS protocols for data theft.

Impact: Deploying ransomware like WannaCry to disrupt critical services.

Procedures

Lazarus continuously develops custom tools and evolves methods. Key malware includes:

  • WannaCry ransomware.

  • AppleJeus cryptocurrency malware.

  • RATANKBA (remote access tools)

Want to Shut Down Threats Before They Start?

Schedule a Demo Today

Notable Cyberattacks

Sony Pictures Entertainment Hack

Targeting Sony for the movie "The Interview," Lazarus exposed sensitive internal data, employee information, and unreleased films.

Bangladesh Bank Heist

Lazarus exploited vulnerabilities in SWIFT banking systems to siphon $81 million, emphasizing their capability to blend financial crime with state-sponsored motives

WannaCry Ransomware Attack

This ransomware affected industries like healthcare and transportation, leveraging the EternalBlue exploit for propagation.

Cryptocurrency Exchange Attacks

Through phishing, fake apps, and supply-chain exploits, Lazarus has stolen hundreds of millions in cryptocurrency.

Law Enforcement & Arrests

The U.S. Department of Justice indicted Park Jin Hyok in 2018 for his alleged role in Lazarus operations. Sanctions have been imposed on North Korean entities accused of supporting cyber campaigns, which include Lazarus (source).

Glitch effectGlitch effect

How to Defend Against Lazarus Group

1

Endpoint Detection and Response (EDR): Solutions like Huntress can detect threats at multiple stages of an attack, preventing compromise from escalating.

2

Network Segmentation: Restrict lateral movement by isolating sensitive systems.

3

Threat Intelligence Monitoring: Track Lazarus-specific IOCs to block malicious infrastructure.

4

User Awareness Training: Reduce phishing susceptibility through training initiatives.

5

Secure Configurations: Harden systems by patching known vulnerabilities and disabling unnecessary services.

Huntress solutions help protect organizations by monitoring endpoints, detecting intrusions, and mitigating threats like Lazarus Group with enterprise-grade technology.

References

Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free