Threat Thursday - Lazarus

Hello everyone and happy #ThreatThursday! Today, we are covering the Lazarus Group (aka HIDDEN COBRA/Guardians of Peace/ZINC/NICKEL ACADEMY)! Lazarus was an extremely active adversary in 2020 and has continued to build capability over the past decade. They are responsible for many high profile hacks seen over the years, such as the Sony hack in 2014. Lazarus Group has been attributed as a North Korean state sponsored hacking group by the FBI.

Reporting organizations have been inconsistent when covering Lazarus group. Some have attributed any North Korean activity or campaign as the work of Lazarus, while others have separated specific activity into multiple threat actor groupings. This emulation plan is a hybrid of several different campaigns, and we will create additional Lazarus Group emulation plans in the future in order to address the range of techniques and capabilities being deployed.

Cyber Threat Intelligence

Despite the inconsistencies, we have plenty of CTI to work off of when building our emulation. Below are a series of reports that have greatly aided in the collection and analysis of TTPs attributed to the Lazarus Group and its activities:


Several of these reports outline the significant lengths Lazarus Group operators used social engineering to build rapport with targets in order to gain initial malware execution and access. Upon achieving access, the objectives of Lazarus Group consist of intelligence gathering, intellectual property theft, financial fraud and theft, and targeted destruction.

While some adversaries have changed capabilities over the years, Lazarus Group has leveraged similar techniques for achieving their objectives. Using the Windows Command Line for execution of tools and techniques has been a common thread across multiple campaigns and we have referenced this in our emulation plan.

Since Lazarus Group’s objectives require analysis of information, discovery and collection techniques are heavily used to gather data from victim networks. types of systems the group is accessing, security tools deployed, and potential files of interest.

Adversary Emulation Plan


This adversary emulation plan and the associated MITRE ATT&CK navigator layer is available with the rest of our plans on the SCYTHE community threats github. Below is the Lazarus Group Threat Profile:

 Tactic  Description
Description   Lazarus Group is a North Korean state-sponsored hacking group that advances state focused initiatives including theft of intellectual property, financial fraud and theft, and retaliatory campaigns.
Objective   IP Theft, Financial fraud and theft
 Command and Control  T1071.001: Application Layer Protocol: Web Protocols (HTTP/HTTPS)
Initial Access   T1566.001: Spearphishing Attachment
T1566.003: Spearphishing via Service
 Execution T1059.003: Windows Command Shell
 Defense Evasion T1070.004: File Deletion
T1564.001: Hidden Files and Directories
 Discovery T1010: Application Window Discovery
T1083: File and Directory Discovery
T1057: Process Discovery
T1012: Query Registry
T1082: System Information Discovery
T1016: System Network Configuration Discovery
T1033: System Owner/User Discovery
 Collection T1005: Data from Local System
T1074.001: Local Data Staging
 Exfiltration T1041: Exfiltration over C2 Channel


Import the Lazarus Group threat into SCYTHE’s Threat Manager and then click Threat Catalog. Scroll to the Lazarus Group threat and click to see the adversary emulation plan step by step and click “Create Campaign from Threat”.

Recommendations

As with most campaigns being performed with SCYTHE, we recommend starting under assumed breach. Lazarus Group heavily utilizes social engineering for initial access, tailoring payloads and messaging to specific individuals and industries. User awareness training and a security minded culture are best practices for protecting against these techniques, however operating with an assumed breach model prepares for the outcome of someone clicking a link. Most of the critical components of the Lazarus Group’s impact happens after initial access.  We recommend focusing on the common TTPs when looking for associated activity. 

Windows Command Line is the primary method of execution of Lazarus Group techniques.  This ensures that adequate logging and auditing of process creation and execution parameters through Windows Event Log, Sysmon, or your EDR will provide valuable insight into potential threat actor activities. Since Lazarus Group is performing information gathering, collection, and analysis of data collected from their access, it is critical to tune alerts to your environment since discovery techniques are often leveraged by system administrators for legitimate purposes.

Our final recommendation for this Threat Thursday is to leverage SSL interception if it is possible within the environment. Lazarus Group has used HTTP and HTTPS as primary methods of command and control.  Therefore, insight and inspection of web traffic across is critical to building a firm situational awareness of network activities.

Conclusion

Lazarus Group is a sophisticated threat actor with many different techniques leveraged over the past decade. They have targeted many industries, including healthcare and vaccine research facilities during the COVID-19 pandemic with a focus on vaccination information theft. As they have continued to develop capabilities including social engineering and organizationally tailored malware to increase their effectiveness, organizations need to increase their defensive strategy to counter these additions.

This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.

About SCYTHE

SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, or follow on Twitter @scythe_io