Exploring APT #3 – part 1 

Now, we’re turning our attention to one of my favourites APTs – the Lazarus Group. Really, I’m disappointed that the _secpro readers voted it in so early in our countdown! As one of the most famous APTs and one of few that the layman may know about, it’s a high profile case. But who are the Lazarus Group and what have they been up to? 

Who are the Lazarus Group? 

The Lazarus Group is a notorious hacking group believed to be operating out of North Korea. The group is known for carrying out large-scale and sophisticated cyberattacks against various targets, including financial institutions, government agencies, and critical infrastructure. 

The Lazarus Group gained worldwide attention in 2014, when it was linked to the devastating cyberattack against Sony Pictures Entertainment. The group has since been associated with a number of other high-profile attacks, including the 2016 Bangladesh Bank heist, in which hackers stole $81 million, and the 2017 WannaCry ransomware attack, which infected hundreds of thousands of computers in over 150 countries. 

The Lazarus Group is believed to be closely affiliated with the North Korean government, and its attacks are thought to be part of the country’s broader strategy to generate income and acquire sensitive information through cyberespionage. The group is known for using advanced techniques, including the development of custom malware, to evade detection and carry out attacks. 

What was WannaCry? 

The ransomware cyptoworm known as “WannaCry” (as well as other names such as “WCry” and “WanaCrypt0r”) affected 150 countries in May 2017, locking down computers and servers all over the world. The name was taken from strings in the binary and encrypted files of the ransomware’s code. Some of the biggest organisations that were affected by WannaCry were the National Health Service (NHS) in the UK and the Russian central bank. 

By exploiting a bug in the Window’s Server Message Block on Windows XP, 7, and 8 (although it would later be revealed that XP was largely unaffected by the ransomware), the ransomware also had the capabilities of a worm and spread throughout entire networks. This led to over 230,000 computers being infected with the malware before researchers were able to stop it. 

The widespread nature of Wannacry’s infection caused an attitude shift towards technology and cybersecurity in many sectors. With an estimated $4 billion paid to the hackers responsible for the malware, organisations like the NHS started to take security protocols more seriously in order to stop similar attacks in the future. 

How did the WannaCry virus kick off? 

The WannaCry attack was a ransomware attack which locked down data on any computer it infected and then spread itself to other systems. When a system was infected, a screen would be displayed to the user demanding a ransom to be paid in Bitcoin. If the user did not pay, the data would be completely locked and they would be unable to access any sensitive files that they had stored on the device. As the files were encrypted by Microsoft Enhanced RSA and AES Cryptographic Provider libraries, the decryption key is necessary for the files to be recovered. 

Why was WannaCry Different to Other Attacks? 

Unlike some ransomware attacks, WannaCry was designed to spread quickly. Using a bug in the SMB protocol on the Windows Microsoft operating system, the ransomware also functioned like a worm and spread from system to system. By spreading from one machine to another, the malware could lock down the files in as many computers as possible and force a huge number of Microsoft Windows users to pay the ransom. 

Was WannaCry an Isolated Event? 

It is important to note that WannaCry was not just one attack – although the May 2017 attack is the most well-known version, there were a number of attacks based around similar coding. After the initial temporary fix by a malware researcher named Marcus Hutchins (better known as MalwareTech), the hackers attempted to redeploy WannaCry using a slight variant on the original code. 

How Was WannaCry Created? 

WannaCry exploited a bug in Windows OS relating to the SMB protocol. This exploit was initially discovered by the American National Security Agency (NSA) and codenamed EternalBlue, but they did not inform Microsoft of this at the time of discovery. Reasons for why this wasn’t handed over to the team working on Windows is only speculation, but it is assumed that the NSA intended to use it in order to combat cyber-criminals. 

How Did EternalBlue Get Leaked? 

Because this exploit was not shared with Microsoft, security concerns arose when a hacker group named the Shadow Brokers stole intel on EternalBlue. Leaked in April 2017 as part of the VAULT7 leak, the EternalBlue exploit was now available to hackers around the world. As a preemptive measure and possibly due to an inside tip off, Microsoft had patched and rolled out updates to defend against the BlueEternal exploit in March 2017. Although Microsoft had created these fixes, the aftereffects of the WannaCry ransomware showed that these updates were not installed widely by users. 

Who was Responsible For Creating the Malware? 

The actual creator of WannaCry remains somewhat of a mystery. The main suspect according to the US government is Park Jin Hyok, a North Korean man that is believed to be working with the government of North Korea. He has been accused of being the assailant behind the WannaCry ransomware worm and also the attack on Sony Pictures in November 2014. He has also evaded global law enforcement agencies, but is still a high profile global threat. 

How Did WannaCry Work? 

Understanding how WannaCry worked was not possible at the time of the infection, but we have learned a great deal about the malware and how it caused so much damage to countries all over the world. Suspected to have been created in North Korea by Park Jin Hyok, a member of the government-backed hacking known as the Lazarus Group, due to metadata included in the code. 

How Did the Code Spread? 

How the code first spread is also a small mystery, with a number of competing theories posited by leading thinkers. These include a phishing attempt on an unsuspecting victim, possible including a .PDF file that would start the download of the malware. As WannaCry could spread over SMB, one infection on one computer in a network system could quickly lead to an entire network being taken down as the worm moved from computer to computer. 

Why wasn’t The Exploit Patched? 

An important point is that the WannaCry malware could only affect Windows computers that had not been updated to include the patch from March 2017. One of the biggest lessons that many organisations took away from the malware epidemic is that regular updating and patching of faults is more important than many people assumed at the time. 

Join us next week for a full analysis of the WannaCry code!

Stay up to date with the latest threats

Our newsletter is packed with analysis of trending threats and attacks, practical tutorials, hands-on labs, and actionable content. No spam. No jibber jabber.