North Korean APT Actor Lazarus Attacks Defense Industry, Develops Supply Chain Attack Capabilities

One of the most prolific advanced threat actors, Lazarus, a North Korean APT group, has been recently tracked and identified to be developing supply chain attack skills, and not only that even for cyber espionage they are using its multi-platform MATA framework.

This North Korean APT group is active since at least 2009, and right now in the current era, this APT group is one of the most active globally. As it has a huge track record of cyber-espionage and ransomware campaigns.

But, through their malicious campaigns and wide range of custom tools, they mostly target the cryptocurrency markets and defense industry to accomplish their goals.

Using the MATA malware framework the operators of the Lazarus group has attacked several industries to steal the customer databases and spread ransomware, but, they mainly target the defense industry, and in the MATA malware framework, they can target three major players:-

  • Windows
  • Linux
  • macOS

According to the Kaspersky report, While Lazarus APT group has attacked the defense industry several times, as last year in mid-2020 the ThreatNeedle campaign was launched by them to target the defense industry.

Moreover,  the US Cybersecurity and Infrastructure Security Agency (CISA) reported that Lazarus was building supply chain attack capabilities with an updated DeathNote cluster using a variant of BLINDINGCAN. 

The senior security researcher, Global Research and Analysis Team, Kaspersky, Ariel Jungheit stated:-

“These recent developments highlight two things: Lazarus remains interested in the defense industry and is also looking to expand its capabilities with supply chain attacks.”

Several malicious campaigns have been identified in which an IT asset monitoring solution vendor, as well as a think tank in South Korea, were targeted. In these campaigns two types of cases were discovered:-

First case: In an infection chain that is developed by Lazarus, a malicious payload was delivered via legitimate South Korean security software.

Second case: A Latvian asset monitoring company was the target of Lazarus, an atypical victim for the organization.

In its infection chain, the threat actor uses a downloader called Racket, which was signed by using a stolen certificate, to install malware. 

To filter and control the malicious implants on successfully breached machines several scripts were uploaded by the actor to the compromised web servers.


Here’s the list of recommendations:-

  • Equip your SOC team with access to the latest threat intelligence (TI).
  • Upskill your cybersecurity team.
  • Implement EDR solutions.
  • Implement a corporate-grade security solution.
  • Preface security awareness training and make your team exercise practical skills.

To stay safe the security analysts of Kaspersky have strongly recommended users to follow and implement all the above-mentioned recommendations immediately.

You can follow us on LinkedinTwitterFacebook for daily Cyber security and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.