Energy providers from around the world, including the United States, Canada, and Japan, have reportedly been targeted by state-sponsored North Korean hacker group Lazarus, also known as APT38.
According to Cisco’s Talos Intelligence group (opens in new tab), the campaign intends to infiltrate organizations around the world in the interests of establishing long-term access and subsequently exfiltrating data of interest to the nation-state.
Although the precise targets have remained unnamed, the attacks once again show the threat that North Korea and Lazarus can pose via destabilization efforts.
How did the attack work?
According to Talos, this campaign involved the exploitation of vulnerabilities in the VMWare Horizon virtual desktop product to gain an initial foothold in targeted organizations.
After gaining successful entry into the targeted enterprise networks, the group then deployed custom malware implants including the HTML bots VSingle and YamaBot.
In addition to these known malware families, they also claimed to discover the use of a previously unknown malware implant called “MagicRAT.”
Inital entry in the organizations was reportedly made using Log4Shell (CVE-2021-44228), a zero-day vulnerability in Log4j, a popular Java logging framework, which involves arbitrary code execution.
Cybersecurity company Tenable has previously dubbed Log4Shell “the single biggest, most critical vulnerability ever”.
This wouldn’t be the first time North Korea has been implicated in attacks on foreign powers; security researchers at Kaspersky Lab have linked North Korea to the Wannacry ransomware attack which disable 300,000 computers in 150 countries and caused the UK’s NHS unprecedented issues.
Since it was founded in 2010, the Lazarus group has certainly been keeping busy if nothing else. Lately, it’s been turning its attention towards the world of blockchains and DeFi.
Lazarus was linked to an attack on the Ronin sidechain worth $615 million, which powers the popular blockchain-integrated game Axie Infinity, which is known as one of the largest DefI hacks to date.
- Scared of hackers infiltrating your organization? Check out our guide to the best endpoint protection.