Lazarus Group is a cybercrime group made up of an unknown number of individuals. While not much is known about the Lazarus Group, researchers have attributed many cyber attacks to them over the last decade. The earliest known attack that the group is responsible for is known as “Operation Troy”, which took place from 2009-2012. This was a cyber-espionage campaign that utilized unsophisticated DDoS techniques to target the Seoul government of South Korea. They are also responsible for attacks in 2011 and 2013. It is possible that they were also behind a 2007 attack targeting South Korea, but that still isn’t certain. A notable attack that the group is known for is the 2014 attack on Sony Pictures. The Sony attack used more sophisticated techniques and highlighted how advanced the group has become over time. The most recent attack attributed to the group is recent 2016 bank heists, which included an attack on a Bangladesh bank, successfully stealing $81m.
Under the name “Operation Blockbuster”, a coalition of security companies, led by Novetta, was able to analyze malware samples found in different cyber-security incidents. Using that data, the team was able to analyze the methods used by the actors. They linked the Lazarus Group to a number of attacks through a pattern of code re-usage.
The earliest possible attack that can be attributed to the Lazarus Group took place in 2007. This attack was named “Operation Flame” and utilized first generation malware against the South Korean government. According to some researchers, the activity present in this attack can be linked to later attacks such as “Operation 1Mission,” Operation Troy,” and the DarkSeoul attacks in 2013. The next incident took place on July 4, 2009 and sparked the beginning of “Operation Troy.” This attack utilized the MYDOOM and Dozer malware to launch a large-scale, but quite unsophisticated, DDoS attack against US and South Korean websites. The volley of attacks struck about three dozen websites and placed the text “Memory of Independence Day” in the Master Boot Record.
As time goes on, the attacks from the group get more sophisticated. Their techniques and tools become better developed and are more effective. In March 2011, “Ten Days of Rain” began. This attack targeted South Korean media, financial, and critical infrastructure. It consisted of more sophisticated DDoS attacks that originated from compromised computers within South Korea. The attacks continue with DarkSeoul on March 20, 2013. This was a wiper attack that targeted three South Korean broadcast companies, financial institutes, and an ISP. At the time, two other groups, NewRomanic Cyber Army Team and WhoIs Team, took credit for that attack but researchers now know that the Lazarus Group was behind it.
The Lazarus Group attacks culminated on November 24, 2014. On that day, a Reddit post appeared Stating that Sony Pictures had been hacked. No one knew it at the time, but this was the start to one of the biggest corporate breaches in recent history. At the time of the attack, the group identified themselves as the Guardians of Peace (GOP) and they were able to hack their way into the Sony network, leaving it crippled for days. The group claims that they were in the Sony network for a year before they were discovered, and it is certainly possible that that is true. The attack was so intrusive that the actors were able to get access to valuable insider information including previously unreleased films and the personal information of approximately 4,000 past and present employees. The group was also able to access internal emails and reveal some very speculative practices going on at Sony.