N. Korean cyber thiefs targeting banks, casinos worldwide

by WorldTribune Staff, April 6, 2017

A North Korean hacking group, known as Lazarus, has launched a global digital robbery ring that is targeting banks, casinos and trading firms dealing in digital currency, a group of cyber forensics analysts said.

A report released this week by Kaspersky Lab, a Moscow-based cybersecurity and virus protection firm, does not single out North Korea’s government as being responsible for the attacks, “but very little goes on in that country without regime leaders knowing about it, and it’s unlikely an operation the size of Lazarus would not have official endorsement,” McClatchy DC reported on April 5.

Related: Was Kim Jong-Un behind last year’s biggest bank heist ever?, March 23, 2017

The Kaspersky report said North Korea is climbing fast into the ranks of nations with significant cyber capabilities.

“We believe that Lazarus Group is very large and works mainly on infiltration and espionage operations, while a substantially smaller unit within the group, which we have dubbed Bluenoroff, is responsible for financial profit,” the report says.

Lazarus, which stole $81 million from the central bank of Bangladesh last year, “has command and control servers all over the world,” said Eric Chien, director of Symantec Security Response.

Chien said that Lazarus malware remained embedded in financial networks and hackers awaited the chance to transfer funds.

“This is the first time we’ve seen a nation-state stealing a lot of money,” Chien said.

California-based Symantec said it had discovered a target list by Lazarus hackers that indicated they were seeking to break into 104 entities in 31 countries, including more than 15 targets in the United States, McClatchy reported.

“It’s one thing to go after a bank in Bangladesh. It’s another thing to go after a big U.S. bank,” said Chien, who helped uncover the Stuxnet attack on Iran’s nuclear program. That attack, which is believed to have been designed by Israel and the United States, caused thousands of Iranian centrifuges to spin out of control and shatter.

According to the Kaspersky report “Lazarus Under the Hood”, among the countries the North Korean hackers have targeted are Mexico, Uruguay, Peru, India, Nigeria, Australia, Russia and Norway. Other types of malicious code associated with Lazarus were found in Costa Rica, Brazil, Chile, Gabon, Kenya, Ethiopia, Malaysia, Vietnam, Thailand and Iraq.

In at least one case, the report says, a server that had been hijacked by Lazarus hackers pinged back to a server in North Korea.

Symantec said that multiple pieces of Lazarus malware had turned up in sustained attacks on banks in Poland that began last October.