IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Lazarus APT hacking group is targeting the defense industry

North Korea-linked hackers used ThreatNeedle backdoor to gather sensitive data

Security researchers have warned of a new hacking campaign by a Lazarus APT group closely linked to the North Korean regime. The hackers have targeted defense industry companies.

According to Kaspersky researchers, the Lazarus group is a highly prolific advanced threat actor active since at least 2009 and linked to many multifaceted campaigns. Since early last year, Kaspersky said the group has been targeting the defense industry with a custom backdoor dubbed ThreatNeedle that moves laterally through infected networks, gathering sensitive information.

Before this most recent campaign, the hackers have been involved in other large-scale cyberespionage campaigns, ransomware campaigns, and even attacks against the cryptocurrency market. These latest attacks signal a change in direction.

Researchers said they became aware of this campaign when they were called in to assist with incident response and discovered the organization had fallen victim to the ThreatNeedle backdoor.

The initial infection occurs through spear-phishing, in which targets receive emails with malicious Word attachments or links to them hosted on company servers. These emails claim to have urgent updates on the coronavirus pandemic and appear to come from a respected medical center.

If a victim opens a malicious document, it installs malware belonging to the Manuscrypt family, which is attributed to the Lazarus group. Researchers have previously seen this malware attacking cryptocurrency businesses. 

Once installed, the malware gains full control of the victim’s device, meaning it can do everything from manipulate files to execute received commands.

Researchers said one of the more interesting aspects of the campaign is its capacity to steal data from an office IT network and a plant’s restricted network with mission-critical assets and computers with highly sensitive data and no internet access.

While company policies usually prevent data transfer between these two networks, administrators could connect to both networks to maintain these systems. Lazarus was able to control administrator workstations and set up a malicious gateway to attack the restricted network, allowing it to steal and extract confidential data from there. 

“Lazarus was perhaps the most active threat actor of 2020, and it doesn’t appear that this will change anytime soon,” said Seongsu Park, senior security researcher for Kaspersky’s Global Research and Analysis Team (GReAT). 

“In fact, already in January of this year, Google’s Threat Analysis Team reported that Lazarus had been seen using this same backdoor to target security researchers. We expect to see more of ThreatNeedle in the future, and we will be keeping an eye out.”

Lazarus is highly prolific and highly sophisticated, added Vyacheslav Kopeytsev, a security expert with Kaspersky ICS CERT. 

“Not only were they able to overcome network segmentation, but they did extensive research to create highly personalized and effective spear-phishing emails and built custom tools to extract the stolen information to a remote server. With industries still dealing with remote work and, thus, still more vulnerable, it is important that organizations take extra security precautions to safeguard against these types of advanced attacks.”

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
Best free malware removal tools 2022
Security

Best free malware removal tools 2022

22 Jun 2022
A guide to cyber security certification and training
Careers & training

A guide to cyber security certification and training

16 Jun 2022
What is shoulder surfing?
social engineering

What is shoulder surfing?

10 Jun 2022

Most Popular

Salaries for the least popular programming languages surge as much as 44%
Development

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022
The UK's best cities for tech workers in 2022
Business strategy

The UK's best cities for tech workers in 2022

24 Jun 2022
LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022