The North Korean military’s notorious hacking arm – known as the Lazarus Group – has been accused of targeting public and private sector research organizations, an Indian medical research company and other businesses in the energy sector.
Security analysts at WithSecure said they were called on to respond to a cyberattack that they initially tied to the BianLian group — a ransomware gang that has targeted the health care, education, insurance and media industries since at least December 2021. But on closer examination, they assessed that several key factors pointed to Lazarus.
“One of the victims was in the health care research vertical within India. In recent years the Indian research and technology sector has been a common target of those North Korean threat groups with a focus on intelligence collection,” the researchers said.
“Other victims of this campaign identified by WithSecure included health care research, a manufacturer of technology used in energy, research, defense, and health care verticals, as well as the chemical engineering department of a leading research university.”
The researchers named the campaign “No Pineapple” due to an error message that was found in the code of a backdoor tool found during their investigation.
The attackers were focused on intelligence gathering, and started with an attack on an unnamed company that was exploited through CVE-2022-27925 and CVE-2022-37042 – two bugs affecting digital collaboration platform Zimbra that U.S. agencies expressed concern about in August 2022.
The hackers used the bugs to gain access to a Zimbra mail server at the end of August 2022 and likely exfiltrated the contents of the mailboxes.
By October 2022, the group moved laterally to another vulnerable device on the network and used malware to eventually steal 100 GB of data on November 5. Despite the massive amounts of data stolen, the group never took destructive actions while in the victim network.
New report from us: ”No Pineapple”.— @mikko (@mikko) February 2, 2023
We asses that this attack campaign is coming the 3rd Bureau of North Korean People’s Army. We believe North Korea used this attack for technological and commercial espionage.https://t.co/Cwk17ZOhqN
The researchers attributed the attack to the Lazarus Group based on the malware used and several operational mistakes made by the group during their intrusion. The infrastructure used by the group during the attack has been tied to previous Lazarus campaigns identified by other security companies.
“The overall toolkit of the threat actor is very similar to other reported instances of North Korean groups,” the researchers said. “The usage of Dtrack and Grease malware has been previously associated with Kimsuky, while Dtrack is also in the Lazarus arsenal. The toolkit aligns with other reporting of this campaign from Talos Intelligence and Symantec.”
The researchers were also able to tie the activity to North Korea based on the hours of operation, noting that most of the actions took place between 00:00 to 15:00 UTC (09:00 and 21:00 UTC +9) and between Monday and Saturday – a work pattern common for those in North Korea.
They also found connections to a North Korea IP address that WithSecure concluded was “an operational security failure by the threat actor.”
“This is significant as the only North Korean IP addresses are three /24 networks which are directly controlled and used by the North Korean government, and as such it is extremely likely that this activity was initiated by a North Korean state actor,” they said.
WithSecure analysts were able to tie the campaign to several other victims after an investigation. The use of the Dtrack malware tied back to another Lazarus cyberattack in 2019 on India’s Kudankulam Nuclear Power Plant.
WithSecure said Lazarus group operates within the 3rd Bureau of North Korean People’s Army – a unit tasked with intelligence gathering and technological/commercial espionage.
The report on the incident also notes that there is significant overlap in the tools used by different hacking groups within the North Korean military. The attack used tools typically deployed by Kimsuky – a group attributed to North Korea’s 5th Bureau that focuses on hacking targets in South Korea – as well as APT37 which is based within the Ministry of State Security and also focuses on South Korea.
In April 2022, the U.S. State Department offered a reward of up to $5 million for information about actors connected to North Korean digital operations that help keep the regime afloat and fund its weapons programs.
The Lazarus Group and other North Korean military arms are accused of being responsible for $1.7 billion worth of cryptocurrency theft in 2022, shattering their own records.
The U.S. Treasury has openly accused North Korea of being involved in the $100 million hack of Harmony Bridge and of orchestrating the headline-grabbing attack on Axie Infinity’s Ronin Network, which saw almost $600 million in cryptocurrency stolen.