The recent unveiling of a sinister alliance between an IT company1 and North Korean hackers, it’s evident that the cyber threat landscape has taken a dark turn. Learn more about North Korean Hackers, Lazarus and the company that wen’t rogue.
Conspiracy with the ‘Lazarus’ Group
Data recovery firms, in a premeditated collaboration with North Korean hackers, disseminated ransomware across systems. Once deployed, these firms earned a staggering 3.4 billion won by offering the decryption key to the affected victims on portal sites.
The police have identified the culprits behind these cyberattacks as members of the notorious ‘Lazarus’ group, a subsidiary of the Reconnaissance General Bureau, North Korea’s primary intelligence entity.
From October 2018 to September 2022, entities like Company A exploited 778 victims2, amassing an illicit fortune. The National Police Agency’s National Security Investigation Unit has since charged several individuals, including the top brass and employees of Company A. They now stand accused under the Information and Communications Network Act, facing severe charges of aiding and perpetrating extortion.
The Modus Operandi
Ransomware, a malignant blend of ‘ransom’ and ‘malware’, has emerged as a potent tool for cybercriminals. Hackers, like those from the Lazarus group, breach systems, encrypt critical files, and then demand a ransom for their safe decryption. Company A, capitalizing on this fear, positioned itself as the sole savior, capable of decrypting files that other companies couldn’t. Their advertising strategy, particularly ‘keyword advertising’, targeted victims specifically affected by this ransomware.
However, police investigations have unearthed a deeper conspiracy. Company A had previously coordinated with North Korean hackers, obtaining a manual to unlock the ransomware. Seized communications from Company A, including Telegram chats and emails, reveal explicit collaborations with North Korean entities. The conversations hint at Company A’s prior knowledge of the Lazarus group’s involvement and their joint criminal endeavors.
Lazarus: A Brief Overview
Lazarus, a hacker syndicate linked to the Reconnaissance General Bureau, has a notorious track record. They were implicated in the Sony Pictures hack in the US in 2014, the Central Bank of Bangladesh breach in 2016, and the global WannaCry ransomware attack in 2017. Recent actions by the South Korean government in February marked Lazarus as a primary target for cyber sanctions against North Korea.
As victims reached out to Company A post the ransomware deployment, they were met with a grim message. They were informed that the only way to retrieve their data was to transfer Bitcoin to the hacker-specified electronic wallet. The victims were then levied a significant recovery agency fee, which included both the hacker negotiation cost and an additional agency charge.
It’s now understood that the North Korean hackers received their payment in untraceable virtual currencies like Bitcoin from Company A.
Some wallet addresses, to which Company A transferred funds, have been identified as those owned by North Korean hacker groups, as mentioned in the ‘ROK-US Joint Cybersecurity Advisory3‘. The police are delving deeper to ascertain the total funds transferred to these North Korean entities.
Protection and Prevention
The police, in a bid to safeguard the public and prevent further damages, are actively probing into ransomware-related offenses. Collaborations with agencies like the Ministry of Science and ICT and the Korea Internet & Security Agency are underway to preemptively thwart similar incidents in the future.