The Lazarus Group: A Report
Stacey E. Meyer
The Lazarus Group, also known as Advanced Persistant Threat (APT) 38, Hidden Cobra (U.S.
government’s name), BlueNoroff (a subgroup focused on attacking foreign financial institutions),
Andariel (a subgroup focused on targeting South Korean organizations and businesses), Stardust
Chollima, and Kimusky (U.S. government name for a subgroup focused on intelligence
gathering in the U.S. and South Korea using social engineering tactics) is a North Korean state
threat actor (a cyber group operating in the interests of their state) active since at least 2009 . The
“group,” which consists of multiple spin-off groups of hackers with varying levels of
sophistication and training that each focus on specific kinds of attacks, is highly financially
motivated and likely protected, encouraged, trained, and tasked by the North Korean
government. They have leveraged many different techniques to target a wide variety of industries
with disruption, sabotage, financial theft, and espionage.
The Lazarus Group is responsible for multiple high profile, notorious cyber attacks. The Council
on Foreign Relation’s Cyber Operations page listed in 2018 some of the attacks the group is
believed to be responsible for: Operation Flame (2007), Operation Troy (2009), Ten Days of
Rain (2011), Dark Seoul (2013), the Sony Pictures Entertainments attack (2014), the SWIFT-
related bank heists (2016), WannaCry (2017), and Operation GhostSecret (2018).
Lazarus develops their own attack tools and malware and are recognized for innovative attack
techniques. Though experts consider the group(s) to be a highly sophisticated threat, they are
also thought to be more reckless than other groups, like Russian groups DarkSide or REvil. The
recklessness is possibly due to facing no governmental consequences. North Korea uses stolen
funds to evade sanctions, prop up their damaged economy, and fund governmental priorities like
their nuclear and missile initiatives.
Notable tactics the group has used or uses: 1) disruption operations “involve DDoS attacks and
Wipers with time-based triggers. These include KILLMBR with a hard-coded wiping date, and
QDDoS, which has a duration date that wipes data ten days after infection. DESTOVER, a
backdoor equipped with wiping capabilities is another example.” 2) commercially available
protectors for its tools. However, some security teams have seen them deploy both protected and
unprotected versions of their tools on the same target during actual attacks. 3) anti-forensic
techniques like separation of components, command line tools, disk wiping, prefetch, event logs,
and MFT record wipers.
Since at least 2018, the Lazarus Group has been targeting cryptocurrency, conducting financial
cybercrimes to raise and launder more than a billion dollars to date while terrorizing the
burgeoning virutal economy. One tactic favored by the group has been to trojanize or disguise
malware as crypto related trading apps, like AppleJeus (the U.S. government’s name for the
N.Korean government’s dissemination of malware that facilitates the theft of cryptocurrency).
Cybersecurity and Infrastructure Security Agency’s (CISA) warned of the group’s use of
trojanized applications to gain access to victims’ computers in spring of 2018 (KEYMARBLE,
TYPEFRAME, SHARPKNOT, and HARDRAIN are a few of 2018’s CISA identified N. Korean
Lazarus launched their new crypto theft campaign in 2018 by cloning a legitimate Dutch website
named HaasOnline as a newly registered domain called bloxholder[.]com. The cloned website
distributed a Windows MSI installer pretending to be an installer for the BloxHolder app.
Instead, it was AppleJeus malware bundled with the QTBitcoin Trader app used by Lazarus
previously. In 2022, researchers at Volexity analyzed a second campaign, likely targeting
cryptocurrency users and organizations, using a malicious Microsoft Office document to deliver
the AppleJeus malware.
In 2020, Google warned that “North Korean hackers had attacked security researchers via what
may have been a Chrome “zero-day” exploit - an attack on an unpatched vulnerability or string
of vulnerabilites.” Within a week of Google’s warning, media revealed Lazarus was responsible
for another attack, the biggest crypto theft of 2020. Their heist, carried out on Singapore-based
KuCoin, was estimated to be around $275 million in digital currency. Around the same time,
CNN reported on a United Nations confidential document that suggested North Korea had stolen
a total of $316 million from financial institutions and virtual currency companies between 2019
and 2020.
In 2022, the U.S. Treasurey Department announced new sanctions against an ethereum wallet
traced to the Lazarus group. They stated the identified wallet contained funds from an attack on
the Ronin Network, the blockchain “bridge” that supports the blockchain game Axie Infinity, in
which around $615 million in USDC (a U.S. dollar pegged stablecoin) and ethereum was stolen.
In early 2023, the FBI confirmed that the Lazarus Group was responsible for the attack on
Harmony’s Horizon Bridge (another blockchain “bridge” that lets users swap tokens between
different networks) in 2022 in which $100 million worth of crypto was stolen. The FBI also said
the group laundered over $60 million of these stolen tokens using RAILGUN's privacy system.
Vitalik Buterin, the creator of ethereum, previously made the case that bridges won’t be around
much longer in crypto, in part because there are “fundamental limits to the security of bridges
that hop across multiple ‘zones of sovereignty.’” Until then, unfortunately, the Lazarus group
and others bad actors will likely continue to expoit bridges security vulnurabilities.
The Lazarus group has also used Tornado Cash and Blender, now believed to be rebranded as
Sinbad to launder the crypto from these hacks. Tornado Cash and Blender aka Sinbad are
“mixers” or “tumblers” which make blockchain transactions harder to trace. However,
chainanalysts were able to attribute these attacks to Lazarus by the unique way Lazarus sent
funds to mixers. Apparently the size and the way that funds are sent to mixers is akin to a
Last month, in February of 2023, security research experts uncovered a broad espionage
motivated effort by North Korean state cyber threat actors targeting a healthcare research
company; a manufacturer of technology used in energy, research, defense and healthcare
verticals; a chemical engineering department at a leading research university; medical research;
and energy organizations. This new research provides evidence of Lazarus Group’s diverse
motives and targets.
Also last month, Norway seized close to $6 million in crypto stolen by Lazarus in 2022
following the Axie Infinity/Ronin Bridge hack. International law enforcement are working with
multiple countries to track the Lazarus Group’s stolen funds attempting to prevent North Korea
from withdrawing the currencies in physical assets. Similar efforts led to the U.S. government,
in September of 2022, recovering more than $30 million in crypto, 10% of the funds stolen in the
Ronin cross-change bridge attack. The Norway seizure coincided with crypto exchanges Binance
and Huobi freezing accounts containing around $1.4 million in crypto originating from the
Horizon bridge attack.
As international and national law enforcement agencies discover new ways to trace crypto
money laundering activity, the Lazarus Group and other global Advanced Persistant Threat cyber
groups will continue to innovate ways to exploit security vulnerabilities. Organizations wishing
to defend themselves against threats posed by Lazarus, using a wide variety of tactics and readily
available tools, or any group conducting a targeted attack, need to ensure that every corner of
their network infrastructure is secure from multiple kinds of attacks. Any machine, connected to
the network must be updated with the latest security patches to minimize vulnerability
exploitation. Organizations would be wise to look into multilayered security solutions.