Advanced persistent threat actor Lazarus attacks defense industry, develops supply chain attack capabilities
October 2021 by Kaspersky
Advanced persistent threat (APT) actors continuously advance their ways of working. While some choose to remain consistent in their strategy, others adopt new techniques, tactics and procedures. In Q3, Kaspersky’s researchers witnessed Lazarus, a highly prolific advanced threat actor, developing supply chain attack capabilities and using their multi-platform MATA framework for cyber-espionage goals. This and other APT trends from across the world are revealed in Kaspersky’s latest quarterly threat intelligence summary.
Lazarus is one of the world’s most active threat actors and has been active since at least 2009. This APT group has been behind large-scale cyber-espionage and ransomware campaigns and has been spotted attacking the defense industry and the cryptocurrency market. Having a variety of advanced tools at their disposal, they seem to have chosen to apply them to new goals. In June 2021, Kaspersky researchers observed the Lazarus group attacking the defense industry using the MATA malware framework, which can target three operating systems – Windows, Linux and macOS. Historically, Lazarus has used MATA to attack various industries for cybercrime purposes, such as stealing customer databases and spreading ransomware. However, this time our researchers tracked Lazarus using MATA for cyber-espionage purposes. The actor delivered a Trojanised version of an application known to be used by their victim of choice – a well-known Lazarus characteristic. Notably, this is not the first time the Lazarus group has attacked the defense industry: their previous ThreatNeedle campaign was carried out in a similar fashion in mid-2020.
Lazarus has also been spotted building supply chain attack capabilities with an updated DeathNote cluster, which consists of a slightly updated variant of BLINDINGCAN, malware previously reported by the US Cybersecurity and Infrastructure Security Agency (CISA). Kaspersky researchers discovered campaigns targeting a South Korean think-tank and an IT asset monitoring solution vendor. In the first case discovered by Kaspersky researchers, Lazarus developed an infection chain that stemmed from legitimate South Korean security software deploying a malicious payload; in the second case, the target was a company developing asset monitoring solutions in Latvia, an atypical victim for Lazarus. As part of the infection chain, Lazarus used a downloader named “Racket” which they signed using a stolen certificate. The actor compromised vulnerable web servers and uploaded several scripts to filter and control the malicious implants on successfully breached machines.
“These recent developments highlight two things: Lazarus remains interested in the defense industry and is also looking to expand its capabilities with supply chain attacks. This APT group is not the only one seen using supply chain attacks. In the past quarter we have also tracked such attacks carried out by SmudgeX and BountyGlad. When carried out successfully, supply chain attacks can cause devastating results, affecting much more than one organisation –something we saw clearly with the SolarWinds attack last year. With threat actors investing in such capabilities, we need to stay vigilant and focus defense efforts on that front,” comments Ariel Jungheit, senior security researcher, Global Research and Analysis Team, Kaspersky.
The Q3 APT trends report summarises the findings of Kaspersky’s subscriber-only threat intelligence reports, which also include Indicators of Compromise (IoC) data and YARA rules to assist in forensics and malware hunting.
In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:
• Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky spanning over 20 years. Free access to its curated features that allow users to check files, URLs, and IP addresses, are available here
• Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts
• For endpoint level detection, investigation, and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response
• In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform
• As many targeted attacks start with phishing or other social engineering techniques, introduce security awareness training and teach practical skills to your team – for example, through the Kaspersky Automated Security Awareness Platform