A campaign of cyber attacks targeting medical research bodies and energy firms has been pinned on the infamous North Korean advanced persistent threat (APT) group known as Lazarus – the group behind the 2017 WannaCry incident – after an operational security error by gang members exposed its activity.
Researchers at Finland’s WithSecure picked up the story after detecting what appeared to be a run-of-the-mill ransomware attack on a customer that was using its Elements cloud-native security platform. But it soon became apparent that something else was happening.
“While this was initially suspected to be an attempted BianLian ransomware attack, the evidence we collected quickly pointed in a different direction. As we collected more evidence, we became more confident that the attack was conducted by a group connected to the North Korean government, eventually leading us to confidently conclude it was the Lazarus Group,” said WithSecure senior threat intelligence researcher Sami Ruohonen.
The investigated incident saw the gang gain initial access and privilege escalation through exploiting the CVE-2022-27295 and CVE-2022-37042 vulnerabilities in unpatched internet-facing Zimbra servers in August 2022. They used off-the-shelf webshells and custom binaries and abused legitimate Windows and Unix tools, and installed tools for proxying, tunnelling and relaying connections.
The observed command and control (C2) behaviour suggests a small number of C2 servers connecting via multiple relays and endpoints, with some of the servers apparently belonging to other compromised victims. Finally, between 5 and 11 November 2022, the attacker stole approximately 100GB of data but did not take any destructive action.
The attacker’s error, and a key factor in leading the WIthSecure team to its conclusions, was the brief use of one of less than a thousand IP addresses known to belong to North Korea.
While poring over the victim’s network logs, the team found a single instance of a connection from a North Korean IP address – 175.45.176[.]27 – at the beginning of the day. This connection was preceded on the previous days, and followed, after a short delay, by connections from a proxy address – 209.95.60[.]92.
“We suspect that this instance was an operational security failure by the threat actor at the start of their workday and, after a small delay, they came back via the intended route,” the team wrote.
“This is significant as the only North Korean IP addresses are three /24 networks which are directly controlled and used by the North Korean government, and as such it is extremely likely that this activity was initiated by a North Korean state actor.”
The team was able to firm up the attribution due to observed tooling overlaps with other known Lazarus campaigns, password usage similarities with other campaigns, victim profiling, and timezone analysis.
Based on all the evidence, it is now almost a certainty that the attack in question formed part of a wider campaign targeting healthcare researchers, chemical engineers, and technology manufacturers working with the energy, research, defence and healthcare sectors.
Lazarus’ ultimate aim in this was to gather intelligence on behalf of the North Korean government, a frequent goal of North Korean actors, alongside the cryptocurrency heists frequently seen.
Some mystery does remain, however, surrounding the possible link to the BianLian ransomware. This was suspected at first because the Cobalt Strike activity that WithSecure detected was beaconing to a server previously identified as associated with the financially motivated BianLian group. However, subsequent research has not been able to establish any definitive links between BianLian and North Korea’s offensive cyber ops, and it is not possible to say whether one exists.
Don’t let down your guard
In this case, the Lazarus operative’s inadvertent error was a helpful one to researchers, and it is somewhat gratifying to know that threat actors are only human and make mistakes like anybody else.
However, anybody wanting to interpret this as a reason not to worry about Lazarus too much would be making a critical error of their own, said Tim West, WithSecure head of threat intelligence.
“In spite of the opsec fails, the actor demonstrated good tradecraft and still managed to perform considered actions on carefully selected endpoints,” he said.
“Even with accurate endpoint detection technologies, organisations need to continually consider how they respond to alerts and integrate focused threat intelligence with regular hunts to provide better defence in depth, particularly against capable and adept adversaries,” he said.
The full, in-depth research, can be read here.
This article was updated on 3 February 2023 to correct, ironically, an incorrect IP address.