Menu
Browse

Cyber Threat Actor: Lazarus Group

Aliases: 4 aliases
Actor Type Location Known Incidents
 Icon
Nation State
North Korea
2 incidents
Profile

Lazarus Group is tracked under the aliases Hidden Cobra, Guardians of Peace and Zinc. The group is assessed to operate from North Korea and is considered a state‑sponsored actor. Its activity has been observed globally, with ransomware campaigns affecting a wide range of industries and geographic regions. The WannaCry incident illustrates a financially motivated operation that encrypted data on unpatched Windows systems and demanded Bitcoin payments. Intrusions attributed to the Guardians of Peace alias, such as the 2014 Sony Pictures breach, involved the theft of corporate data, executive communications and internal documents, indicating an espionage‑oriented objective. More recent reporting describes a hacker collective using the names “John Wick” and “Korean Hackers” that targeted Indian media outlets, a video‑on‑demand platform and government social‑media accounts. Those operations were accompanied by demands for Ethereum donations, showing a financial motive, while the defacement of websites and the broadcast of push‑notification messages served to disrupt normal communications and manage the actors’ public perception. The exfiltration of subscriber databases, source code and cloud‑service credentials points to an espionage‑related goal of gathering proprietary information.

The WannaCry ransomware employed the EternalBlue exploit against the SMBv1 protocol, leveraging NSA‑developed tools that were released by the Shadow Brokers group. Initial access in that campaign was achieved by scanning for and exploiting unpatched Windows machines, after which the ransomware propagated laterally as a worm. Beyond ransomware, the actor has been observed using remote‑access tools and credential‑harvesting techniques, as evidenced by claims of installing a remote access tool on an open directory and capturing internal IP addresses, ports, usernames, passwords and JSON authentication tokens for push‑notification campaigns. Tooling includes the abuse of legitimate services: PasteBin was used to host denial‑of‑involvement messages that were linked from browser notifications, while Bitbucket repositories were used to store and share stolen source code and AWS bucket credentials. The group also demonstrated a capability to harvest and threaten to sell large volumes of data, claiming to have downloaded 150 GB of private information from a streaming service. Notable campaigns include the 2017 WannaCry outbreak that impacted over 300 000 computers in 150 countries, causing disruption to healthcare, manufacturing and logistics sectors. Another prominent operation is the 2014 Sony Pictures breach, attributed to Guardians of Peace, which resulted in the leak of unreleased films, internal emails and executive salaries. The alleged 2020 intrusions against CNN‑News18 and ZEE5 involved website defacement, the sending of push notifications denying involvement in unrelated attacks and attempts to monetize the stolen data by demanding Ethereum payments. Collectively, these examples illustrate a pattern of financially driven ransomware, data‑theft for espionage and disruption‑focused messaging campaigns.

Incidents
Attributed incidents available to members
2 incidents
Sources
Sources available to members
2 sources