Cyber Threat Actor: Lazarus Group
| Actor Type | Location | Known Incidents |
Nation State
|
North Korea
|
3 incidents |
|---|
Profile
Lazarus Group, also known as Hidden Cobra and referenced as Kimsuky in some reporting, is a threat actor attributed to the North Korean government. The group is described as a state‑sponsored advanced persistent threat (APT) linked to Bureau 121, the cyber warfare division of North Korea’s Reconnaissance General Bureau. Public statements from the United States government indicate the group was formed around 2007 and has been tracked by multiple national cyber security centres. The United Kingdom’s National Cyber Security Centre has assessed that Lazarus launched the WannaCry ransomware campaign. These attributions establish a clear nexus between the group’s activities and North Korean state interests.
Lazarus has targeted financial institutions worldwide, including banks using the SWIFT messaging system, as seen in the Bangladesh Bank heist and attempted intrusions against Taiwanese and Mexican banks. The group has repeatedly attacked cryptocurrency platforms, attempting to steal digital assets from exchanges and cross‑chain protocols such as deBridge Finance. Beyond finance, Lazarus has pursued espionage goals, for example attempting to compromise a South Korean drug manufacturer to obtain COVID‑19 vaccine and treatment technology. Defense sector entities have also been victimized, with intrusions reported against Israeli defense industry networks and Indian nuclear power plant administrative systems. In addition to theft and espionage, the group has deployed ransomware that causes broad disruption, most notably the WannaCry outbreak that affected hospitals, government agencies and corporations in over 150 countries. These patterns show a mix of financially motivated theft, intelligence collection and disruptive operations as the group’s observed objectives.
Initial access frequently involves spear‑phishing emails that contain malicious attachments such as fake PDFs, Word documents with macros or MHTML files. Social engineering tactics include fabricated LinkedIn job offers and impersonated security researcher personas to lure targets into executing malware. Once inside a network, Lazarus has used a variety of malware families, including the Dtrack backdoor, the PowerRatankba PowerShell toolkit, the WannaCry ransomware and the KillDisk wiper. The group’s tooling incorporates credential harvesters like a tailored version of Mimikatz, custom portable executable loaders that run in lsass.exe and utilities that manipulate registry keys via schtasks. Lazarus has exploited software vulnerabilities to gain execution, notably the Internet Explorer zero‑day disclosed in 2021, an ActiveX zero‑day used against a South Korean think tank and the EternalBlue SMB vulnerability that enabled WannaCry’s rapid spread. The attackers also employ command‑and‑control infrastructure to download additional payloads and maintain persistence through startup folder registration or service installation.
The 2016 Bangladesh Bank heist, in which attackers attempted to transfer nearly one billion dollars and succeeded in moving about eighty‑one million dollars, is frequently cited as a hallmark Lazarus operation. The global WannaCry ransomware attack of May 2017, which encrypted systems in dozens of countries and disrupted the UK National Health Service, has been publicly linked to Lazarus by multiple governments and security firms. More recently, Lazarus actors have been observed targeting cryptocurrency firms, using phishing emails with fake salary‑change PDFs to deliver malware that harvests system information and communicates with attacker‑controlled servers. Espionage‑focused intrusions include the 2021 attempt against a Korean drug maker to steal COVID‑19 vaccine research and the 2020 breach of an Israeli defense contractor that was detected in real time. The group’s activity also extends to the energy sector, where North Korean malware was discovered on the administrative network of an Indian nuclear power plant, although the infection did not reach critical control systems. These examples illustrate the breadth of Lazarus’s publicly reported campaigns across finance, technology, defense and critical infrastructure.
