Lazarus, advanced persistent threat group, targets the defense industry

BUSINESS

Lazarus is one of today’s most prolific threat actors. Active since at least 2009, Lazarus has been involved in large-scale cyberespionage campaigns, ransomware campaigns, and even attacks against the cryptocurrency market. While the past few years they’ve been focusing on financial institutions, at the beginning of 2020, it appears they have added the defense industry to their “portfolio”.

Kaspersky researchers first became aware of this campaign when they were called in to assist with incident response, and they discovered that the organization had fallen victim to a custom backdoor (a type of malware that allows complete remote control over the device). Dubbed ThreatNeedle, this backdoor moves laterally through infected networks and extracts confidential information. So far, organizations in more than a dozen countries have been affected.

Initial infection occurs through spear phishing; targets receive emails that contain either a malicious Word attachment or a link to one hosted on company servers. Often times, the emails claimed to have urgent updates related to the pandemic and came, supposedly, from a respected medical center.

Once the malicious document is opened, the malware is dropped and proceeds to the next stage of the deployment process. The ThreatNeedle malware used in this campaign belongs to a malware family known as Manuscrypt, which belongs to the Lazarus group and has previously been seen attacking cryptocurrency businesses. Once installed, ThreatNeedle is able to obtain full control of the victim’s device, meaning it can do everything from manipulating files to executing received commands.

One of the most interesting techniques in this campaign is the group’s ability to steal data from both office IT networks (a network that contains computers with internet access) and a plant’s restricted network (one containing mission-critical assets and computers with highly sensitive data and no internet access). According to company policy, no information is supposed to be transferred between these two networks. However, administrators could connect to both networks to maintain these systems. Lazarus was able to obtain control of administrator workstations and then set up a malicious gateway to attack the restricted network and to steal and extract confidential data from there.

“Lazarus was perhaps the most active threat actor of 2020, and it doesn’t appear that this will change anytime soon. In fact, already in January of this year, Google’s Threat Analysis Team reported that Lazarus had been seen using this same backdoor to target security researchers. We expect to see more of ThreatNeedle in the future, and we will be keeping an eye out,” comments Seongsu Park, senior security researcher with the Global Research and Analysis Team (GReAT).

“Lazarus is not just highly prolific but highly sophisticated. Not only were they able to overcome network segmentation, but they did extensive research to create highly personalized and effective spear phishing emails and built custom tools to extract the stolen information to a remote server. With industries still dealing with remote work and, thus, still more vulnerable, it’s important organizations take extra security precautions to safeguard against these types of advanced attacks,” adds Vyacheslav Kopeytsev, security expert with Kaspersky ICS CERT.

Read more about the ThreatNeedle campaign on the Kaspersky ICS CERT website.

You can also hear Seongsu Park present Kaspersky’s ThreatNeedle research, as well as listen to other juicy APT findings, at the newest edition of GReAT Ideas: Green Tea Edition on February 25. Register here: https://kas.pr/9f5k

To protect your organizations from attacks like ThreatNeedle, Kaspersky experts recommend:

Provide your staff with basic cybersecurity hygiene training, as many targeted attacks start with phishing or other social engineering techniques.
If an enterprise has operational technology (OT) or critical infrastructure, make sure it is separated from a corporate network or that there are no unauthorized connections.
Ensure that employees are aware of and follow cybersecurity policies.
Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky for more than 20 years.
Implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.
It is also recommended to implement a dedicated solution for industrial nodes and networks that enables OT network traffic monitoring, analysis and threat detection – such as Kaspersky Industrial CyberSecurity.

About Kaspersky ICS CERT

Kaspersky Industrial Control Systems Cyber Emergency Response Team (Kaspersky ICS CERT) is a global project launched by Kaspersky in 2016 to coordinate the efforts of automation system vendors, industrial facility owners and operators, and IT security researchers to protect industrial enterprises from cyberattacks. Kaspersky ICS CERT devotes its efforts primarily to identifying potential and existing threats that target industrial automation systems and the Industrial Internet of Things. Kaspersky ICS CERT is an active member and partner of leading international organizations that develop recommendations on protecting industrial enterprises from cyberthreats. ics-cert.kaspersky.com

About Kaspersky:

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologiesand we help 250,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

Send us your press releases to pressrelease.zawya@refinitiv.com

Disclaimer: The contents of this press release was provided from an external third party provider. This website is not responsible for, and does not control, such external content. This content is provided on an “as is” and “as available” basis and has not been edited in any way. Neither this website nor our affiliates guarantee the accuracy of or endorse the views or opinions expressed in this press release.

The press release is provided for informational purposes only. The content does not provide tax, legal or investment advice or opinion regarding the suitability, value or profitability of any particular security, portfolio or investment strategy. Neither this website nor our affiliates shall be liable for any errors or inaccuracies in the content, or for any actions taken by you in reliance thereon. You expressly agree that your use of the information within this article is at your sole risk.

To the fullest extent permitted by applicable law, this website, its parent company, its subsidiaries, its affiliates and the respective shareholders, directors, officers, employees, agents, advertisers, content providers and licensors will not be liable (jointly or severally) to you for any direct, indirect, consequential, special, incidental, punitive or exemplary damages, including without limitation, lost profits, lost savings and lost revenues, whether in negligence, tort, contract or any other theory of liability, even if the parties have been advised of the possibility or could have foreseen any such damages.

Lazarus, advanced persistent threat group, targets the defense industry

DISCOVER MORE

Department of Digital Ajman partners with Sprinklr to deliver a unified citizen experience across all channels

EWEC announces partners to develop 1.5 gigawatt solar project in Abu Dhabi

Devmark and Divine One Group are set to launch Hammock Park residences, bringing Miami Beach-style living to Wasl Gate

Abu Dhabi Airports reports strong results for Q1 2024

Response Plus Medical completes acquisition of Prometheus Medical, accelerates global expansion plans

Burjeel Medical City carries out its first deceased donor Liver transplant

Dubai is the eighth-most affordable city of the top ten most visited cities worldwide, new data reveals

Bayanat and Yahsat shareholders approve merger to create SPACE42

Victor moves headquarters to Abu Dhabi

Albal Design launches UAE's first science based interior design concept

Joby partners with Abu Dhabi to establish electric air taxi ecosystem

Daikin extends special support to flood-affected communities to restore air conditioning systems

UAE retail investors embrace the AI boom, using AI tools to shape their investments

Ajman Free Zone registers 1,792 new companies in 2021

Thob Al Aseels net profits down 27.5% in 2021; dividends approved

Kiverco supports UAE-based Dulsco to create circular economy

Oman logs 6,260 business activities during Q3 2021

DMCC launches growth programme for social impact businesses in Dubai

LATEST VIDEO

VIDEO: Expect more extreme weather threats like UAE floods worldwide – Climate expert

ZAWYA COVERAGE

UAE’s Bayanat, Yahsat shareholders approve merger to create SPACE42

Dubai-listed Mashreq’s Q1 2024 net profit surges to $544mln

87% of Saudi Vision 2030 initiatives now complete, on track

Most UAE investors bet on AI for huge returns - survey

Australia shares fall as bleak data tones down rate-cut bets

Russian rouble hovers near one-month high ahead of expected rate hold

Google parent announces first-ever dividend; beats on sales, profit; shares soar

Nomura Q4 net profit jumps almost eight fold on retail income surge

NatWest first-quarter profit slides 27%

THE BRI REPORT

China’s flagship global infrastructure initiative is changing in the face of potent headwinds