CyberWire Daily - Lazarus Targets Chemical Sector With 'Dream Job.' [Research Saturday]
Episode Date: June 25, 2022Alan Neville, a Threat Intelligence Analyst from Symantec Broadcom, joins Dave to discuss their research "Lazarus Targets Chemical Sector." Symantec has observed the North Korea-linked threat group kn...own as Lazarus conducting an espionage campaign targeting organizations operating within the chemical sector. The campaign appears to be a continuation of the group's activity called Operation Dream Job, which Symantec first came across in August of 2020. The research states "evidence includes file hashes, file names, and tools that were observed in previous Dream Job campaigns." The research can be found here: Lazarus Targets Chemical Sector Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Hello everyone and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts
tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Essentially, Symantec receives billions of rows in telemetry every day. And one of the
things that my team do is actually dig through that telemetry in order to hunt down new threats.
And it was through one of these analytics that we were able to identify some suspicious
credential dumping activity, which led us on to uncovering Pompilius and their attacks
against organizations operating in the chemical sector.
That's Alan Neville.
He's a principal threat intelligence analyst at Symantec.
The research we're discussing today is titled Lazarus Targets Chemical Sector.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors
more easily than ever with AI tools. It's time to rethink your security. Zscaler Zero Trust plus AI
stops attackers by hiding your attack surface, making apps and IPs invisible, eliminating lateral
movement, connecting users only to specific apps, not the entire network.
Continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Well, before we dig into the details here, I mean, this centers around the Lazarus group, which is out of North Korea.
Can you give us a little bit of the background on them?
Yeah, so Lazarus itself is kind of more of a, how would you say, an all-compassing name that mainly consists of a lot of different subgroups. Across Symantec themselves, we already actually track probably at least up to 15 different groups
that are all kind of under that umbrella name Lazarus.
And Lazarus was originally the name that was known as Hidden Cobra,
which was used by the US government.
Essentially, there's many of these different subgroups.
We've split them out based on some of the separate activity that we actually track across Symantec.
So we would have groups that we'd associate with North Korea like Bluest or Ballworm, etc.
Which, for example, let's say Bluest, they would target individuals in South Korea using threats like Eagle Boss.
Mainly executives doing their business or working in South Korea.
Ballworm, for example, is another group that we track
where they had previously hijacked software updates
in order to install their malware.
We had Cloverworm, which we've also published on in the past.
This was essentially an espionage effort by North Korea
where they were involved in financially motivated attacks
against crypto organizations.
And some considered these groups known as like Springtail, one and the same.
But when we started to get into that activity for Clover,
we kind of split that out into two different groups.
So it's somewhat confusing in terms of where lots of different vendors
track all the subset of activity under different names.
And Lazarus has essentially become one of these umbrella terms, which
kind of encapsulates all of North Korean activity.
And as you mentioned, your team is tracking this particular group as the name
Pompilus, is that right?
Pompilus, yeah. That's the group that we've dubbed for this particular set of activity.
That's the group that we've dubbed for this particular set of activity.
And so this starts out with a continuation of Lazarus's technique that is referred to as Operation Dream Job.
Yeah, so Dream Jobs is quite interesting.
There's actually been quite a bit of reporting about this over the last several years. It was first published by our colleagues in ESET in a blog around June 2020,
where they specifically detailed a campaign
which attacked defense and aerospace companies
in Europe and the Middle East
between September and I think it was December 2019.
And in that campaign, which they named Interception,
made use of social engineering
and relied on a modular malware
to collect and perform reconnaissance
on targeted networks.
At that time, according to ECS,
the attackers made initial contact
with their targets through LinkedIn.
The attackers themselves had been creating profiles
impersonating HR recruiters
from international companies
in the defense sector
and aerospace sectors. And they use these copycat profiles to send job offers to their targets.
And for any of those who may have showed interest in those jobs, they would then eventually send
them a password-protected archive, which is either sent directly to them via email or may have a link
to one of those cloud providers
like OneDrive to install their malware.
And then later, I suppose in 2020, McAfee also documented a similar campaign.
They released a blog where they detailed the malicious documents
that were being sent to the individuals
related to legitimate job offers at leading defense contractors.
All of the organizations that were detailed in that blog had active defense contracts of varying sizes and scope all with the US government. And then there was also additional
reporting by Clear Sky. They had released a report where they detailed some further tactics
of the attackers. For example, they began to impersonate legitimate individuals in companies,
hackers, for example, they began to impersonate legitimate individuals in companies, not just setting up fake profiles, but actually copying LinkedIn profiles from existing employees
and using their images as well.
They began to build up a reputation by adding other individuals within those companies to
LinkedIn before they began reaching out to their targets, essentially kind of using the
same means as before, like sending job offers.
In those cases, they began leveraging other messaging platforms as well.
So it wasn't just LinkedIn, but they began to branch out onto other platforms like WhatsApp or directly through SMS texts and even in Twitter.
And then we'd also seen a blog that was published in January 2021 by Google,
and they had observed similar campaigns,
but in these cases, it looked like the attackers had shifted
their focus away from defense and aerospace
and started focusing on security researchers.
In these campaigns, the attackers began to impersonate
professional security researchers setting up LinkedIn profiles
and Twitter accounts, a lot of what we've seen previously.
They even went as far as starting to create blogs, publishing articles on exploit vulnerability research in an attempt to build up that reputation.
One stage, they even created fake YouTube videos, supposedly demonstrating a zero-day exploit against Windows Defender. This was later proven to be fake.
They had used these types of tactics as a means to build up
a reputation. And then using that reputation would begin to reach out
to other security researchers and begin to ask them would they like to collaborate on
some vulnerability research to the point where they would send them
a Visual Studios project,
which would essentially install some malware onto the security researchers' machines.
Well, let's dig into this particular campaign. What were you tracking here?
During this time, we had obviously been keeping track of all this activity, which we then
began tracking as a separate group because it looked like very kind of unique characteristics
in terms of some of the tactics and tools that the group were using.
And around LACE, I suppose 2021, we began observing a shift
in some of the targeting by the actors, whereby they began to focus
on healthcare and pharmaceutical sectors initially,
retaining access in some of those organizations for up to several months.
Similar to what we'd previously reported,
we've observed the attackers leveraging
various social media platforms,
sending malicious documents,
witlores related to pharma and jobs,
job offers,
and identified potentially new undocumented vector as well,
whereby the attackers were installing their tools,
via legitimate system management software tools, to spread across the networks.
We'd also observed the attackers targeting financial organizations that were heavy into
cryptocurrency as well.
As we continued to monitor the group into 2021 and then later into 2022, we noticed
a second shift in their targeting, whereby they began to
set their sights on organizations operating in the information technology sector, which
included web hosting companies, some small-time registrars, and we'd also seen some IT support
contractors as well.
And then at a later stage, we started seeing a shift towards conglomerates.
And then at a later stage, we start seeing a shift towards conglomerates.
We believe that they had targeted these organizations in the IT sectors initially to build out some of their infrastructure.
The majority of their command and control servers that they use are compromised websites.
So it kind of makes sense for them to go after those organizations.
However, there was another theory as well that they were likely targeting these organizations as a means to get access to other organizations of interest, essentially, I suppose, performing a supply chain attack.
And we noticed some of the other victims around we had noticed that the majority of those victims
actually operated within the chemical sector,
specifically the machines that Lazarus were targeting at the time.
All were related to machines that were being used
to conduct research in the chemical sector,
specifically around some projects
that were being worked on in collaboration with different organizations.
The research that you all have posted here includes a case study,
what you tracked from an organization in the chemical sector.
Can we go through that together, get some insights
as to how Lazarus went about this?
that together, get some insights as to how Lazarus went about this?
Yeah, so in the recent victim that we described in the blog, we'd seen the victim themselves were operating in the chemical sector.
They were part of a conglomerate.
We believe that they had been initially sent some malicious emails that contained links
to remote sites, and the user that they had targeted
essentially had opened the email, clicked the link,
which in turn was able to download and install
a malicious DLL file onto their machine,
which essentially gave the actors a backdoor access.
So once that backdoor was installed and executed,
it was used to download a second stage payload,
which the attackers were able to leverage.
And that gave them the ability
to be able to execute arbitrary commands
that were all being executed in memory.
And they were able to use, again,
use that access to install additional tools,
potentially steal information
from the infected machine itself.
And in multiple cases where we observed them installing these tools, potentially steal information from the infected machine itself. And in multiple cases where we observed them installing these tools,
we had seen them leveraging Trojanized versions of legitimate projects like compression libraries.
In some instances, we had seen them using system management software
to install some of their backdoors on other machines once they gained that initial access.
And again, that's probably all likely just to try and remain under the radar
for as long as possible within those organizations.
I suppose after the attackers had gained that access,
one of the first things we see them do
is obviously start to collect credentials
to assist in that lateral movement.
The attackers then began creating multiple scheduled tasks
to ensure persistence as a means to run commands.
They were leveraging batch files to do this in those cases.
And we also observed them installing older versions of,
I think we'd seen Bitdefender,
which had software that was vulnerable to remote code execution vulnerabilities,
which again was likely to allow them to execute arbitrary commands on harder-to-reach systems.
Beyond those backdoor tools and the remote access tools that we've seen them install within that victim,
it looks like they also were able to deploy tools to be able to take screenshots to monitor machines of interest.
And this tool would take screenshots of Braille's webpages every 10 seconds and send those images back to the attackers.
Now, by what means were they ultimately detected?
The cases where these were initially detected, it was all through the analytics that our team actually developed.
So like that, we collect billions of rows of telemetry
that are submitted to Symantec every day.
As part of that threat hunting effort that we actually do,
one of those approaches that we use would be to design a lot of these analytics
to identify the suspicious attack behavior.
It's usually through those that we were able to identify, and in this case,
this is what we were actually able to find. We were able to identify some suspicious credential
dumping activity that was identified through those analytics. And so what are your recommendations
in terms of protection and mitigation? How can folks best prevent this? For recommendations for
protection, obviously,
first thing I'd actually recommend
would be adopting a defense in depth
strategy. So that would be using
multiple detections and protection technologies
essentially to try and mitigate
risks at all points of the potential
attack chain. I'd also
recommend leveraging
two-factor authentication where possible
and generally this would be a good thing to do
to help limit the usefulness of any compromised credentials.
Standard things like restricting remote desktop protocol access
or any other tools that can enable remote desktop access.
Monitor any system management software
that may be leveraged within your organization
to ensure you have visibility of what's being delivered to your endpoints.
And then also things like enabling logging of PowerShell
and tool usage as well.
I'd also recommend working with your own security teams
and security vendors, review the protection information
that's available, share it to our blog
or share it to our other colleagues as well
to ensure all the steps have been taken to detect and block
this type of activity across your organization.
Now, is your sense that the primary goal here was espionage
as opposed to, because we're dealing with the chemical sector,
as opposed to getting into industrial control systems,
those kinds of things.
Yeah, as we began to dig into some of those recent victims,
we quickly realized the attackers were clearly interested
in chemical research.
The organizations where we actually observed
the attackers gaining access to,
we were able to quickly identify that those victims
had worked relationships with each other.
And we could see them specifically seeking out research materials,
in these cases related to epoxy research that the organizations were collaborating on.
And what was pretty interesting about epoxy research, it's not just glue at the end of the day.
It actually has many other practical uses, among some of them being solid safe fuels.
As we know, North Korea have ramped up their missile testing since the beginning of 2022.
And we believe it's likely due to the sanctions that have been imposed on the country,
the fact they've been excluded from that wider scientific community,
they're beginning to resort to stealing that type of research and intellectual property
to further their own nuclear programs or interests. What's also interesting about this is we've also
seen other North Korean groups as well targeting the chemical sector for similar research recently.
This is a group that we've known or that we track and we've also published on in the past known as
Stonefly and at that time they had been targeting, again, conglomerates,
again, involved in research around super alloys
specifically used for heat shielding.
And it appears to be some sort of like directive of theirs
to collect this type of information.
Our thanks to Alan Neville from Symantec for joining us.
The research is titled Lazarus Targets Chemical Sector.
We'll have a link in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365
with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, Thank you. Thanks for listening.
We'll see you back here next week.