Threat Actor Profile
Lazarus Group (ATP38)
The Lazarus Group, also referred to as APT38, HIDDEN COBRA, and Guardians of Peace, is a North Korean state-sponsored cybercriminal organization. Operating since at least 2009, Lazarus specializes in a range of malicious activities including financial theft, cyber espionage, and destructive cyberattacks. They have targeted industries such as finance, government, and critical infrastructure, utilizing sophisticated tactics and custom malware.
Threat Actor Profile
Lazarus Group (ATP38)
Country of Origin
Lazarus Group is linked to North Korea and is believed to operate under the Reconnaissance General Bureau, the primary intelligence agency of the Democratic People’s Republic of Korea (DPRK). The group’s activities align with state objectives, including financial gain for an economy burdened by international sanctions and furthering the regime’s political goals.
Members
The Lazarus Group is structured into specialized subgroups for various operations: Andariel focuses on financial theft and ransomware, Bluenoroff targets large-scale financial heists and cryptocurrency, and Kimsuky primarily conducts cyber espionage.
Leadership
The leadership of the Lazarus Group remains largely unidentified. However, it is reportedly governed by North Korea’s Reconnaissance General Bureau. Notably, Park Jin Hyok, a member of the Chosun Expo Joint Venture, was charged in 2018 by the U.S. Department of Justice for his involvement in Lazarus-associated operations.
Lazarus Group TTPs
Tactics
Financial theft and fund transfer manipulation, such as SWIFT attacks.
Espionage campaigns for collecting confidential data.
Disruption through ransomware and wiper malware.
Techniques
Initial Access: Spear-phishing emails and watering hole attacks.
Execution: Use of PowerShell scripts and malicious macros in documents.
Persistence: Scheduled tasks, registry run keys, or custom malware implants.
Privilege Escalation: Exploitation of software vulnerabilities.
Defense Evasion: Fileless malware and disguise as legitimate software.
Credential Access: Keylogging and credential dumping via Mimikatz.
Discovery: Network and system enumeration using tools like Nmap.
Lateral Movement: Pass-the-hash and PsExec for network traversal.
Collection: Data staging and exfiltration tools like RAR archives.
C2 (Command & Control): Use of compromised servers and encrypted channels.
Exfiltration: HTTP/HTTPS protocols for data theft.
Procedures
Lazarus continuously develops custom tools and evolves methods. Key malware includes:
WannaCry ransomware.
AppleJeus cryptocurrency malware.
RATANKBA (remote access tools)
Want to Shut Down Threats Before They Start?
Notable Cyberattacks
Law Enforcement & Arrests
The U.S. Department of Justice indicted Park Jin Hyok in 2018 for his alleged role in Lazarus operations. Sanctions have been imposed on North Korean entities accused of supporting cyber campaigns, which include Lazarus (source).
How to Defend Against Lazarus Group
Endpoint Detection and Response (EDR): Solutions like Huntress can detect threats at multiple stages of an attack, preventing compromise from escalating.
Network Segmentation: Restrict lateral movement by isolating sensitive systems.
Threat Intelligence Monitoring: Track Lazarus-specific IOCs to block malicious infrastructure.
User Awareness Training: Reduce phishing susceptibility through training initiatives.
Secure Configurations: Harden systems by patching known vulnerabilities and disabling unnecessary services.
Huntress solutions help protect organizations by monitoring endpoints, detecting intrusions, and mitigating threats like Lazarus Group with enterprise-grade technology.
References
Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
