Connect with us

Hi, what are you looking for?

HEADLINES

Lazarus, advanced persistent threat group, targets the defense industry

Lazarus is one of today’s most prolific threat actors. Active since at least 2009, Lazarus has been involved in large-scale cyberespionage campaigns, ransomware campaigns, and even attacks against the cryptocurrency market.

Kaspersky researchers have identified a new, previously unknown, campaign from Lazarus, a highly prolific advanced threat actor active since at least 2009 that has been linked to a number of multifaceted campaigns. Since early 2020, it has been targeting the defense industry with a custom backdoor dubbed ThreatNeedle. The backdoor moves laterally through infected networks gathering sensitive information.

Lazarus is one of today’s most prolific threat actors. Active since at least 2009, Lazarus has been involved in large-scale cyberespionage campaigns, ransomware campaigns, and even attacks against the cryptocurrency market. While the past few years they’ve been focusing on financial institutions, at the beginning of 2020, it appears they have added the defense industry to their “portfolio”. 

Kaspersky researchers first became aware of this campaign when they were called in to assist with incident response, and they discovered that the organization had fallen victim to a custom backdoor (a type of malware that allows complete remote control over the device). Dubbed ThreatNeedle, this backdoor moves laterally through infected networks and extracts confidential information. So far, organizations in more than a dozen countries have been affected.

Initial infection occurs through spear phishing; targets receive emails that contain either a malicious Word attachment or a link to one hosted on company servers. Oftentimes, the emails claimed to have urgent updates related to the pandemic and came, supposedly, from a respected medical center. 

Advertisement. Scroll to continue reading.

Once the malicious document is opened, the malware is dropped and proceeds to the next stage of the deployment process. The ThreatNeedle malware used in this campaign belongs to a malware family known as Manuscrypt, which belongs to the Lazarus group and has previously been seen attacking cryptocurrency businesses. Once installed, ThreatNeedle is able to obtain full control of the victim’s device, meaning it can do everything from manipulating files to executing received commands. 

One of the most interesting techniques in this campaign is the group’s ability to steal data from both office IT networks (a network that contains computers with internet access) and a plant’s restricted network (one containing mission-critical assets and computers with highly sensitive data and no internet access).  According to company policy, no information is supposed to be transferred between these two networks. However, administrators could connect to both networks to maintain these systems. 

Lazarus was able to obtain control of administrator workstations and then set up a malicious gateway to attack the restricted network and to steal and extract confidential data from there.  

“Lazarus was perhaps the most active threat actor of 2020, and it doesn’t appear that this will change anytime soon. In fact, already in January of this year, Google’s Threat Analysis Team reported that Lazarus had been seen using this same backdoor to target security researchers. We expect to see more of ThreatNeedle in the future, and we will be keeping an eye out,” comments Seongsu Park, senior security researcher with the Global Research and Analysis Team (GReAT).

“Lazarus is not just highly prolific but highly sophisticated. Not only were they able to overcome network segmentation, but they did extensive research to create highly personalized and effective spear phishing emails and built custom tools to extract the stolen information to a remote server. With industries still dealing with remote work and, thus, still more vulnerable, it’s important organizations take extra security precautions to safeguard against these types of advanced attacks,” adds Vyacheslav Kopeytsev, security expert with Kaspersky ICS CERT. 

Advertisement. Scroll to continue reading.

To protect your organizations from attacks like ThreatNeedle, Kaspersky experts recommend:  

  • Provide your staff with basic cybersecurity hygiene training, as many targeted attacks start with phishing or other social engineering techniques.
  • If an enterprise has operational technology (OT) or critical infrastructure, make sure it is separated from a corporate network or that there are no unauthorized connections. 
  • Ensure that employees are aware of and follow cybersecurity policies. 
  • Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky for more than 20 years. 
  • Implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform. 
  • It is also recommended to implement a dedicated solution for industrial nodes and networks that enables OT network traffic monitoring, analysis and threat detection – such as Kaspersky Industrial CyberSecurity.

Advertisement
Advertisement
Advertisement

Like Us On Facebook

You May Also Like

HEADLINES

In rigorous evaluations conducted by prestigious cybersecurity testing organizations, Kaspersky Plus (starting in Q4 2024, Kaspersky Premium), Kaspersky Endpoint Security for Business (KESB), and...

HEADLINES

"Given the Philippines' high exposure to cyber threats, it's important for both individuals and businesses to stay vigilant," said Adrian Hia, Managing Director for...

White Papers

When compared to 2023, Sophos saw a 51% increase in abusing “Living off the Land” binaries or LOLbins; since 2021, it’s increased by 83%.

HEADLINES

Someone illegally acquires or uses personal information such as bank account or credit card numbers of another person to obtain money, goods or services....

HEADLINES

To stay ahead of these challenges, organizations need to invest in AI-driven defenses, transition to quantum-safe encryption, and adopt a Zero Trust approach to...

HEADLINES

There was a 121% Year-on-Year (YoY) increase in identity fraud in 2024 across the region, with significant surges recorded in Singapore (207%), Thailand (206%)...

HEADLINES

As part of RCBC’s 2024 Cybersecurity literacy program, the webinar aims to help Filipinos level up their online banking safety by providing them with...

White Papers

The survey found that CXO’s feel less prepared than their global peers. Less than half or 48% in APAC said they felt completely prepared...

Advertisement