BOSTON – A North Korean hacking group known as Lazarus was likely behind a recent campaign targeting organizations in 31 countries, following high-profile attacks on Bangladesh Bank, Sony and South Korea, cybersecurity firm Symantec Corp. said on Wednesday.
Symantec said in a blog post that researchers have uncovered four pieces of digital evidence suggesting the Lazarus group was behind the campaign that sought to infect victims with “loader” software used to stage attacks by installing other malicious programs.
“We are reasonably certain” Lazarus was responsible, Symantec researcher Eric Chien said.
The North Korean government has denied allegations it was involved in the hacks, which were made by officials in Washington and Seoul, as well as security firms.
Symantec did not identify targeted organizations and said it did not know if any money had been stolen. Nonetheless, Symantec said the claim was significant because the group used a more sophisticated targeting approach than in previous campaigns.
“This represents a significant escalation of the threat,” said Dan Guido, chief executive of Trail of Bits, which does consulting to banks and the U.S. government.
Lazarus has already been blamed for a string of hacks dating back to at least 2009, including last year’s $81 million heist from Bangladesh’s central bank, the 2014 hack of Sony Pictures Entertainment, which crippled its network for weeks, and a long-running campaign against organizations in South Korea.
Guido, who reviewed Symantec’s finding, said that it was troubling to see a hacking group focus on attacking banks using increasingly sophisticated techniques. “This is a dangerous development,” he said.
Symantec, which has one of the world’s largest teams of malware researchers, regularly analyses emerging cyberthreats to help can defend businesses, governments and consumers that use its security products.
The firm analyzed the hacking campaign last month when news surfaced that Polish banks had been infected with malware. At the time, Symantec said it had “weak evidence” to blame Lazarus.
Poland’s biggest bank lobbying group, ZBP, in February said the sector was targeted in a cyberattack, but did not provide further details.
Symantec said the latest campaign was launched by infecting websites that intended victims were likely to visit, which is known as a “watering hole” attack.
The malware was programmed to only infect visitors whose IP address showed they were from 104 specific organizations in 31 countries, according to Symantec. The largest number were in Poland, followed by the United States, Mexico, Brazil and Chile.
In a time of both misinformation and too much information, quality journalism is more crucial than ever.
By subscribing, you can help us get the story right.