Is Lazarus Preparing for War?
North Korea has been engaged in constant demonstrations of physical force against South Korea since the division of Korea. And recently, South Korea and North Korea have been engaged in a war without gunfire in cyberspace. On March 20, 2013, the hacking of Lazarus Group, known to be supported by North Korea, paralyzed the computer network of media and banks in South Korea. Ten years later, in 2023, the National Intelligence Service (NIS) of South Korea publicly revealed that Lazarus Group had hacked into the country’s defense and bio industries, exploiting vulnerabilities in well-known security programs.
The Lazarus group is identified to have targeted key industries in South Korea, including chemical, energy, finance, defense, construction, and pharmaceuticals, using vulnerabilities in not only the software disclosed in NIS’s recent release, but also in two other programs. According to our internal logs, there have been over 90 attempted attacks in the first half of 2023 alone. Consequently, we have reported the discovery of three 0-day vulnerabilities present in the software utilized by Lazarus group for these attacks to relevant institutions in South Korea as of March this year.
The vulnerable programs that have been exploited are essential security programs that must be installed when using electronic financial services in South Korea. The number of systems with these programs installed is estimated to be greater than the country’s population of 50 million. The damage to South Korea is unimaginable if such software is exploited. In January of this year, Wladimir Palant, the developer of AdblockPlus (ad blocking browser extension), even published an article titled “South Korea’s online security dead end” criticizing the South Korea’s internet banking security.
We’ve been tracking Lazarus Group’s hacking cases since 2021, and we’ve also done forensic analysis on some cases. This presentation introduces Lazarus Group’s latest TTPs (Tactics, Techniques and Procedures), including the process of several Korean companies being compromised by Lazarus Group, software vulnerabilities used at this time, disable security software using BYOVD, and anti-forensics techniques.
The Lazarus group is a highly malicious attack group that operates not only in South Korea but also around the world, it is necessary to jointly respond through information exchange and cooperate among security experts around the world.
Mr. JunSeok Kim
Junseok Kim works in the malware analysis team in the AhnLab Security Emergency response Center (ASEC), where he specializes in incident response, malware analysis, and cyber threat intelligence. His passion lies in researching advanced persistent threats (APTs) that target South Korea, and he is committed to becoming an expert in this area. Recently, he has become interested in vulnerability analysis.
Mr. TaeHyeon Song
Taehyeon Song is a member of the analytics team at AhnLab ASEC. He works on incident response and malware analysis, and is particularly interested in analyzing APTs related to South Korea and finding various zero-day vulnerabilities.
Mr. MyeongSu Lee
Myeongsu Lee started his IT career while working in the military in 1999, and he conducted security-related lectures and security projects such as reverse engineering, exploit development/patch analysis, web hacking, network hacking, digital forensics in 2006. He joined AhnLab in 2011 and has been working as an incident response analyst at A-FIRST (AhnLab Forensics & Incident Response Service Team).
Mr. MyungUk Han
Myunguk Han is a malware researcher at AhnLab.
Having spent many times deep in malware and vulnerabilities, He loves reverse-engineering and passionate in computer itself. When he has free time, he reads some of the cyber attacks reports for self-improvement.