Lazarus Group: Flash Focus Modus Operandi – Is the healthcare industry on the radar?
At Citalid, we turn strategic cyber threat intelligence (CTI) and predictive algorithms into advanced cyber risk quantification (CRQ). With our CTI team tracking over 700 threat actors, we continuously feed our dynamic CRQ engines to provide our clients with a contextualised threat landscape. Dive into our comprehensive CTI reports and geopolitical context analysis.
Today we reveal the activities and strategies of the Lazarus Group. Recent intelligence suggests that Lazarus is increasingly targeting the healthcare sector, with a particular interest in Europe. Citalid proposes an in-depth analysis of this cyber threat, attributed to North Korea, to better understand the situation and explore the potential escalation of healthcare-related targeting.
Quick look at Lazarus’ profile
Active since at least 2009, Lazarus is a threat actor that was publicly attributed to North Korea by the United States in 2018, particularly following the WannaCry 2.0 ransomware incident in 2017. Specifically, it is believed to be operated by the Bureau of General Reconnaissance (BGR), a North Korean intelligence agency dedicated to foreign operations and cyber offensives, among other things.
Lazarus is an “umbrella” threat actor, meaning that it encompasses several subsets of cyber offensive activities. Its operational activity is characterised by its responsiveness, versatility and intensity, with persistent campaigns over time. For example, the Dream Job campaign, which targets cybersecurity researchers and strategic companies, has been active since at least 2020. Lazarus is characterised by its dual activity, engaging in both cyber espionage operations and profit-oriented activities. These activities are part of a strategy to circumvent international sanctions imposed on North Korea, allowing Pyongyang to obtain foreign currency that can be used to fund North Korean weapons programmes. The use of ransomware and the targeting of cryptocurrency platforms and financial institutions is common, as evidenced by the 2016 cyber attack on the Bank of Bengladesh.
A modus operandi that breaks the news
3CX Campaign
On 20 April. 2023, the US security company Mandiant detected a Lazarus cyber attack against the supply chain of the software company 3CX. This company provides professional communications software (including instant messaging and video conferencing systems). The threat actors first compromised 3CX’s development environment. Lazarus then integrated malware into a legitimate version of 3CX’s software, which was then downloaded and installed undetected by customers. According to Slovakian security vendor ESET, several hundred Lazarus-compromised applications were still in use as of mid-September 2023.
What makes this cyber attack unique is that it actually originated from an initial attack on the supply chain with a booby-trapped version of X_Trader, a professional financial trading software that has been obsolete since 2022. This was then downloaded onto the 3CX network. According to Symantec, it is likely that the attackers’ initial motivation was financial, but given the scale of the compromises, this is likely to evolve into espionage.
Continuation of the DreamJob campaign
On 29 September 2023, the compromise of a Spanish aerospace company was revealed by ESET. Lazarus operators gained access to the company’s network through a targeted phishing campaign posing as a recruiter from the American Meta platform. The fake recruiter first contacted the victim on Linkedin. Secondly, the candidate was asked to complete a written test via an attachment containing a malicious backdoor. According to ESET, this operation is part of the wider Dream Job campaign, which uses fake recruiters to compromise companies operating in strategic sectors such as aerospace.
Cryptocurrencies
On 6 September 2023, Lazarus was accused of stealing $41 million (in various cryptocurrencies, including ethereum and bitcoin) from the online betting and virtual casino platform Stake.com. In 2023, Lazarus is suspected of fraudulently collecting over $200 million from various sites and platforms specialising in cryptoassets.
Targeting the healthcare sector
On 24 August 2023, US security vendor Cisco Talos published a report on the targeting of internet backbone infrastructure and healthcare organisations in Europe and the US. During this campaign, Lazarus relied on the exploitation of the CVE-2022-47966 Zoho ManageEngine vulnerability (patched in October 2022), five days after the publication of the proof of concept (PoC) on 18 January 2023. In this context, the threat actor used a new tool called QuiteRAT, which allows attackers to remotely access the victim’s network.
Deciphering these offensive operations
The activities associated with Lazarus in 2023 coincide with the threat actor’s historical activities and the interests of the North Korean regime. The aim is to supply Pyongyang’s strategic projects, particularly in the field of armaments, with information and intellectual property stolen from foreign companies and with foreign currency, thus guaranteeing financial resources despite international sanctions.
Given the characteristics of the North Korean cyber threat – a constrained environment in terms of human, financial and technical resources – Lazarus’ operations are characterised by their boldness, virulence, intensity and economy of means. These choices would explain operations against the supply chain (the first victim provides access to multiple victims), the use of social engineering (technically undemanding) and the targeting of cryptocurrency exchange platforms (concentration of large amounts of money).
Although the US Health Sector Cybersecurity Coordination Center (HC3) issued a warning bulletin on 18 September about the targeting of the healthcare sector based on the Cisco Talos report, cyber offensive operations against the sector do not appear to be a priority for North Korean threat actors. If it is targeted, it is likely to be for the purpose of extorting funds from highly profitable Anglo-Saxon private institutions. In 2022, the US authorities had already issued an alert on the use of the Maui ransomware by North Korean actors against the healthcare sector. The attackers’ goal remained financial extortion. Mandiant had downplayed this warning, suggesting that the sector was not a priority for North Korean actors. However, according to CNN, the data collected by the healthcare attackers could be used to fuel cyber-attacks against government entities.
Depending on current events, this prioritisation may change. By 2020, in the wake of COVID-19, Lazarus had rapidly refocused its activities against the healthcare sector, in particular against organisations involved in pharmaceutical and vaccine research, conducting cyber espionage operations to gather intellectual property and strategic information.
Interested in knowing more about another Threat Actor? Read our blog post about Black Cat. Want to focus on the health industry? Download a copy of our e-book on the State of the Threat for Health facilities in France.