Rob Behnke
October 16th, 2023
The blockchain and crypto space experiences cyberattacks from various different threat actors. In some cases, cyberattacks are carried out by an individual or even a trusted insider with a particular project. In others, they are performed by an organized cybercrime group.
The Lazarus Group is one example of a cybercrime group that has moved into the crypto space. While this group has a background in attacking a wide range of industries, it has also been responsible for several large-scale hacks of crypto and DeFi projects.
The Lazarus Group is a cybercrime group that has been active since at least 2009. It is commonly believed to be an advanced persistent threat (APT) group affiliated with the North Korean government. More specifically, the group is believed to be associated with North Korea’s Reconnaissance General Bureau (RGB), which is one of North Korea’s primary intelligence agencies. This belief is supported by the fact that many of their attacks target South Korea and are performed for the purpose of disruption, destruction, and espionage.
However, the Lazarus Group has been known to perform cyberattacks with financial motives as well. They commonly target the financial sectors but have been known to attack organizations in various industry verticals around the world.
Some of the most famous hacks linked to the Lazarus Group include:
Sony Pictures (2014): In 2014, Sony Pictures released “The Interview,” a fictional movie describing an assassination plot against the leader of North Korea. As a result, the Lazarus Group hacked Sony and stole and leaked large amounts of sensitive data, causing the company an estimated $150 million in damages.
WannaCry (2017): The 2017 WannaCry outbreak kicked off the modern era of ransomware attacks. This ransomware worm used the EternalBlue exploit — stolen from the NSA — to infect hundreds of thousands of computers worldwide and caused an estimated $4 billion in losses worldwide.
Bangladesh Bank Heist: The Lazarus Group allegedly attempted to steal $1 billion from the Bangladesh Central Bank. The attack targeted the SWIFT system — used for inter-bank transfers — and successfully stole about $81 million.
While these cyberattacks have been linked to the Lazarus Group, attribution is typically difficult in cybersecurity and is often based on the tactics, techniques, and procedures (TTPs) used in an attack and associated with a hacking group. As a result, it’s entirely possible that many other high-profile attacks were performed by the Lazarus Group but not successfully linked to them.
The challenges of attribution also make it difficult to conclusively link other hacking groups to Lazarus and other cybercriminals.
For example, the Bluenoroff and Andariel hacking groups are believed to be sub-groups of Lazarus and may specialize in particular types of attacks or targets.
As a long-lived APT group, the Lazarus Group has grown and evolved significantly since it first emerged in 2009. When the group was initially formed, it was believed to be an amateur hacking group. However, the group has grown a great deal more sophisticated over the years, refining its techniques and developing new tools to support its attack campaigns. The modern Lazarus Group performs hacks all over the world and has the capability to develop custom malware — including remote access trojan (RAT) — to support its attack campaigns.
The Lazarus Group is a sophisticated cybercriminal group. It likely has the backing of the North Korean government, meaning that it has the resources and the knowledge to develop and carry out highly sophisticated cyberattacks. The group has also been in operation for 14 years, demonstrating its staying power and providing it with ample opportunity to learn and grow.
The Lazarus Group has been known to write and deploy custom malware as part of its attacks. For example, MagicRAT and QuiteRAT are examples of RAT malware linked to the group. The Lazarus Group has also been known to exploit zero-day vulnerabilities in their attacks.
However, the group is likely best known for its sophisticated social engineering attacks. Social engineering attacks target the human factor, using deception, trickery, and coercion to carry out the attacker’s objectives. In many of their attacks, the Lazarus Group has been known to use these techniques to gain initial access to a target environment. By tricking people into handing over passwords, private keys, or other sensitive information, the Lazarus Group can abuse this access to access protected systems or steal cryptocurrency from their targets.
The Ronin Bridge hack is the biggest and most expensive DeFi hack to date. In this attack — attributed to the Lazarus Group by the FBI — social engineering was used to steal approximately $625 million from the protocol.
Ronin is a cross-chain bridge using a Proof of Authority (PoA) scheme with nine validators. For a cross-chain transaction to be approved, five of the nine validators needed to sign off on it using their private keys.
Instead of identifying and exploiting vulnerabilities in the bridge’s code, the Lazarus Group used social engineering to gain the access that they needed. Of the five validators required to perform the hack, Sky Mavis controlled four and had access to the fifth.
Allegedly, the Lazarus Group gained the access that they needed via a fake job offer to a Sky Mavis employee from a company that didn’t exist. This job offer involved a malware-infected PDF that provided the attacker with a foothold on the company’s systems. From there, the attacker was able to move laterally through Sky Mavis’s network to gain access to the systems hosting Sky Mavis’s four validators and the gas-free RPC node used to gain a signature from Axie DAO.
This hack of the Ronin Bridge exemplifies the Lazarus Group’s normal tactics when carrying out an attack. Social engineering — in this case, a spear phishing attack — got their malware on a target’s computer, and, from there, the group has the knowledge and tools necessary to identify and exploit vulnerabilities and achieve their goal.
The crypto and DeFi space has — unfortunately — suffered numerous high-value hacks. Some of these have been performed by individuals and independent actors; however, the Lazarus Group has certainly made its mark in the space.
In addition to the Ronin Hack, the Lazarus Group was also behind the Harmony Horizon Bridge hack for $100 million in 2022. The group has also been extremely active in the crypto space in 2023, with several hacks attributed to them, including Atomic Wallet, CoinsPaid, and Alphapo in June and July 2023.
In September 2023, there was a rash of hacks involving compromised private keys. Of these, the Stake.com and CoinEx hacks have already been linked to the group — based on address reuse — and other breaches may have been performed by them as well.
The Lazarus Group is a sophisticated cybercrime group with suspected ties to the government of North Korea. It performs attacks in a variety of industries and against companies around the world. However, it has also been responsible for some of the largest and most damaging cyberattacks in the crypto space.
In general, the Lazarus Group focuses on social engineering attacks, using deception and similar tactics to gain access to an organization’s environment. From there, it can exploit internal vulnerabilities to gain the privileges that it needs and carry out its goals.
Reducing vulnerability to Lazarus Group attacks requires managing a project’s exposure to social engineering.
Some best practices for doing so include:
Employee Training: Social engineering attacks target humans, not vulnerabilities in a project’s code. Training users to recognize and respond appropriately to suspicious emails and other communications can help reduce the risk of a social engineering attack.
Endpoint Security: The Lazarus Group commonly uses custom RATs and other malware as part of its attacks. Deploying endpoint security solutions capable of detecting, blocking, and remediating these malware infections can help reduce exposure to these attacks.
Multi-Factor Authentication (MFA): The Lazarus Group often uses social engineering to steal passwords and other sensitive data from an organization. Multi-factor authentication (MFA) helps to increase the complexity of these attacks by forcing attackers to steal multiple authentication factors to gain access to an online account.
Patch Management: The Lazarus Group has been known to exploit vulnerabilities, such as Log4j, in its attacks. Promptly installing security updates and patches can help to prevent these attacks.
Zero Trust Access Controls: Often, users, applications, and computers have more access than they need for their jobs. Enforcing the principle of least privilege and individually authenticating each request for access makes it much harder for an attacker to gain the privileges that they need without being detected.
Decentralized Wallet Controls: Many cyberattacks involving compromised private keys target protocols that store large volumes of cryptocurrency in a hot wallet with a single private key. Cold and multi-signature wallets help to reduce the risk of major losses due to a single compromised key.
While many blockchain hacks take advantage of smart contract vulnerabilities, the Lazarus Group typically targets flaws in an organization’s security processes. To learn more about how to design your crypto or DeFi project to be more resilient against these types of social engineering threats, get in touch with Halborn.