North Korean advanced persistent threats (APT) group Lazarus — also known as Hidden Cobra — is developing supply chain attack capabilities using the MATA cross-platform malware framework commonly used for cyber espionage, according to Kaspersky researchers.
The researchers found that in June, the group was using the MATA framework — which can attack Windows, Linux and MacOS operating systems — to target the defense industry in several countries. The MATA framework has actually been used to spread malware payloads since 2019.
This, incidentally, is not the first time that Lazarus has attacked the defense industry. Its previous ThreatNeedle campaign ran similarly in mid-2020, note Kaspersky researchers in the company’s quarterly threat intelligence summary.
In recent years, Lazarus has been linked to a series of financial cybercrimes and cyber espionage campaigns designed to benefit the North Korean government. In June, according to Kaspersky researchers, the hacker group had used BlindingCan and CopperHedge backdoors to attack a think tank in South Korea.
During CopperHedge’s initial research, researchers found Lazarus using a downloader called Racket, which the group signed using a stolen certificate and compromised vulnerable web servers. Hackers then loaded various scripts to filter and control malicious “implants” on successfully breached machines, researchers say.
Senior security researcher on Kaspersky’s global research and analysis team, Ariel Jungheit, said recent developments highlight two things: Lazarus remains interested in the defense industry and is looking to expand its capabilities with supply chain attacks.
According to him, the group is not the only one seen using attacks on the supply chain. Last quarter, the Kaspersky team also tracked attacks carried out by SmudgeX and BountyGlad. “When successfully carried out, supply chain attacks can have devastating results, affecting far more than one organization, something we clearly saw with the SolarWinds attack last year. With threat operators investing in such capabilities, we need to remain vigilant and focus defense efforts on that front,” notes Jungheit.
Major Attack History
The Lazarus group is linked to several high profile attacks. He was reportedly behind WannaCry in 2017, the $81 million robbery of a Bangladeshi bank and the attack on Sony Pictures in 2014.
In February, a Kaspersky report pointed out that Lazarus was conducting a campaign against defense industry targets in more than a dozen countries using the ThreatNeedle backdoor, which moves laterally across networks and even overcomes network segmentation.
In March, the group began deploying the TFlower ransomware, using the MATA framework. The deployment has raised suspicions that the group is behind TFlower or has some level of collaboration with the ransomware operators.
For some researchers, the group may be masquerading as TFlower to make its ransomware operations harder to track. In the past, the US government has issued frequent warnings about North Korean sponsored hackers and has published data on nearly 30 variants of ransomware associated with hacker groups suspected of working with the North Korean regime.