A targeted ransomware attack against organizations in the research, healthcare, and energy sectors has been attributed to North Korea’s Advanced Persistent Threat (APT) Lazarus Group after the threat actor made an “operational security mistake.” increase.
write an email to Information security, With Secure After investigating the attack, the team said it linked it to a broader intelligence-gathering operation.
“While this was initially suspected to be an attempted BianLian ransomware attack, the evidence we gathered quickly pointed us in the other direction,” explained Sami Ruohonen, senior threat intelligence researcher at WithSecure. bottom.
“As we gathered more evidence, we became more confident that the attack was carried out by a group affiliated with the North Korean government.”
According to the team, the new campaign will: Former Lazarus group activity.
These included the exclusive use of IP addresses without domain names, modified versions of IP addresses, and the use of new infrastructure. Dtrack Backdoor It is also a new variant of the Grease malware.
Regarding the operational security error that WithSecure mentioned, the team said it used one of 1,000 IP addresses belonging to North Korea that were observed connecting to an attacker-controlled web shell. rice field.
Tim West, Head of Threat Intelligence at WithSecure, warns:
“Even with accurate endpoint detection technology, organizations must continually consider how to respond to alerts. should provide better defense-in-depth against adversaries skilled in
The attackers reportedly managed to exfiltrate 100 GB of data, but WithSecure said it took no destructive action at the time of the disruption.
More details about the attack and the malware used are available in the full documentation. Recommendation Published today by WithSecure.
The technical article comes weeks after the FBI confirmed that the Lazarus Group was behind last year. 100 million dollar theft From the cryptocurrency company Harmony.
