Lazarus rises in Israel with attempted hack of defense company, researchers say
Written by Sean Lyngaas
MAR 26, 2019 | CYBERSCOOP
A notorious hacking group experts have tied to the North Korean government has targeted an Israeli defense company, according to new research outlining what appears to be one of the group’s first attacks on an Israeli entity.
Cyware
이스라엘서 北 라자루스 사이버 공격 징후 포착
이스라엘에서 북한 해커 집단 ’라자루스’의 사이버 공격 징후가 포착됐다고 이스라엘 유력 일간지 하레츠가 26일(현지 시각) 보도했다.
매체에 따르면, 현지 사이버보안업체 클리어스카이는 "이스라엘의 한 보안회사 직원이 지난 7일 사내 내부 인트라넷을 통해 의심스러운 메시지를 받았다"며 "엉터리 히브리어로 작성된 이 이메일에는 수십 개의 악성 파일이 들어 있었다"고 밝혔다.
클리어스카이는 "이번 공격은 북한 라자루스의 소행인 것으로 확신하고 있다"며 "만약 그게 사실이라면 이는 우리가 아는 한 이스라엘에 대한 북한의 첫 번째 사이버공격"이라고 전했다.
라자루스는 2017년 5월 세계 150개국 30여만 대 컴퓨터를 감염시킨 ‘워너크라이’ 공격의 배후로 지목된 북한의 대표적인 해커 조직이다. 이 집단은 전 세계 금융기관과 NGO(비정부 기구), 기업 등에 해킹 피해를 줬다.
보아스 돌레프 클리어스카이 최고경영자(CEO)는 "북한의 사이버공격은 고유 특성이 있다"며 "그들은 국가 차원에서 공격하고 범죄 조직처럼 돈을 훔친다"고 설명했다.
그래픽=김성규
돌레프 CEO는 최근 보안 취약점이 발견된 윈도우 압축프로그램 ‘윈라(WinRar)’ 사용자들이 특히 이번 공격에 취약할 수 있다고 지적했다. 그는 "윈라의 경우 필요에 따라 보안 프로그램이 자동 업데이트되는 메커니즘이 없기 때문에 소프트웨어 업데이트를 하지 않은 이용자들은 공격에 노출됐을 가능성이 우려된다"고 말했다.
The unnamed company makes products used in the military and aerospace industries, and the hackers could have been after commercial secrets or more traditional espionage, according to ClearSky, the cybersecurity firm that exposed the operation. The suspected culprit is Lazarus Group, an industry term for a broad set of hackers associated with Pyongyang.
“We cannot be sure what the objective of the attackers [was],” Eyal Sela, head of threat intelligence at ClearSky, told CyberScoop in an email. “[It] could be industrial/commercial espionage but could be military espionage, for example.”
North Korean dictator Kim Jong Un has set ambitious economic goals, and some cybersecurity analysts have predicted he will unleash the Pyongyang-affiliated hackers to meet those deadlines by targeting multinational companies’ trade secrets. The expansion in targeting to include an Israeli defense company would be in keeping with Pyongyang’s track record of turning its hackers on whatever organizations could serve North Korean interests.
The veil was lifted on this campaign after an employee from the Israeli defense company received an email on March 7 in broken Hebrew from a colleague whose account was likely already breached, ClearSky said.
Researchers implicated Lazarus Group because of digital clues including a malicious implant known as Rising Sun that has been attributed to the group.
ClearSky assessed with “medium confidence” that Lazarus was behind the malicious activity. However, researchers said they were basing that on technical evidence and therefore could not rule out a false flag operation posing as Lazarus. Other private-sector experts who wished to stay anonymous helped with detection and analysis of the malicious activity, ClearSky said.
North Korea attempts to hack banks worldwide to steal money/Daily Express
edited by kcontents
Israeli newspaper Haaretz was first to report on the research.
Analysis of the source code used by the hackers shows that a Korean language setting was enabled and that the malicious attachment was able to bypass the company’s email-filtering protections, as Ido Naor, an Israel-based researcher with Kaspersky Lab, pointed out.
According to ClearSky, the suspected Lazarus operatives looked to leverage a vulnerability in outdated WinRAR file-archiving software that hackers have been exploiting since it was disclosed last month
