• Military
• WMD

• Intelligence Menu               

• Systems
• Operations
• Countries
• Hot Documents
• News
• Reports
• Policy
• Budget
• Congress
• Imagery
• Links

• Homeland Security
• Space

Lazarus Group / BlueNoroff / Andariel

A criminal complaint was unsealed September 6, 2018 charging Park Jin Hyok (a/k/a Jin Hyok Park and Pak Jin Hek), a North Korean citizen, for his involvement in a conspiracy to conduct multiple destructive cyberattacks around the world resulting in damage to massive amounts of computer hardware, and the extensive loss of data, money and other resources (the “Conspiracy”). These groups have been described as: “the world's leading bank robbers’ and “a criminal syndicate with a flag”.

The complaint alleges that Park was a member of a government-sponsored hacking team known to the private sector as the “Lazarus Group,” and worked for a North Korean government front company, Chosun Expo Joint Venture (a/k/a Korea Expo Joint Venture or “KEJV”), to support the DPRK government’s malicious cyber actions.

The Conspiracy’s malicious activities include the creation of the malware used in the 2017 WannaCry 2.0 global ransomware attack; the 2016 theft of $81 million from Bangladesh Bank; the 2014 attack on Sony Pictures Entertainment (SPE); and numerous other attacks or intrusions on the entertainment, financial services, defense, technology, and virtual currency industries, academia, and electric utilities.

The charges were announced by Attorney General Jeff Sessions, FBI Director Christopher A. Wray, Assistant Attorney General for National Security John C. Demers, First Assistant United States Attorney for the Central District of California Tracy Wilkison and Assistant Director in Charge Paul D. Delacourt of the FBI’s Los Angeles Field Office.

In addition to these criminal charges, Treasury Secretary Steven Mnuchin announced today that the Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated Park and KEJV under Executive Order 13722 based on the malicious cyber and cyber-enabled activity outlined in the criminal complaint.

“Today’s announcement demonstrates the FBI’s unceasing commitment to unmasking and stopping the malicious actors and countries behind the world’s cyberattacks,” said FBI Director Christopher Wray. “We stand with our partners to name the North Korean government as the force behind this destructive global cyber campaign. This group’s actions are particularly egregious as they targeted public and private industries worldwide – stealing millions of dollars, threatening to suppress free speech, and crippling hospital systems. We’ll continue to identify and illuminate those responsible for malicious cyberattacks and intrusions, no matter who or where they are.”

“The scale and scope of the cyber-crimes alleged by the Complaint is staggering and offensive to all who respect the rule of law and the cyber norms accepted by responsible nations,” said Assistant Attorney General Demers. “The Complaint alleges that the North Korean government, through a state-sponsored group, robbed a central bank and citizens of other nations, retaliated against free speech in order to chill it half a world away, and created disruptive malware that indiscriminately affected victims in more than 150 other countries, causing hundreds of millions, if not billions, of dollars’ worth of damage. The investigation, prosecution, and other disruption of malicious state-sponsored cyber activity remains among the highest priorities of the National Security Division and I thank the FBI agents, DOJ prosecutors, and international partners who have put years of effort into this investigation.”

“The complaint charges members of this North Korean-based conspiracy with being responsible for cyberattacks that caused unprecedented economic damage and disruption to businesses in the United States and around the globe,” said First Assistant United States Attorney Tracy Wilkison. “The scope of this scheme was exposed through the diligent efforts of FBI agents and federal prosecutors who were able to unmask these sophisticated crimes through sophisticated means. They traced the attacks back to the source and mapped their commonalities, including similarities among the various programs used to infect networks across the globe. These charges send a message that we will track down malicious actors no matter how or where they hide. We will continue to pursue justice for those responsible for the huge monetary losses and attempting to compromise the national security of the United States.”

Park Jin Hyok, was a computer programmer who worked for over a decade for Chosun Expo Joint Venture (a/k/a Korea Expo Joint Venture or “KEJV”). Chosun Expo Joint Venture had offices in China and the DPRK, and is affiliated with Lab 110, a component of DPRK military intelligence. In addition to the programming done by Park and his group for paying clients around the world, the Conspiracy also engaged in malicious cyber activities. Security researchers that have independently investigated these activities referred to this hacking team as the “Lazarus Group.” The Conspiracy’s methods included spear-phishing campaigns, destructive malware attacks, exfiltration of data, theft of funds from bank accounts, ransomware extortion, and propagating “worm” viruses to create botnets.

In November 2014, the conspirators launched a destructive attack on Sony Pictures Entertainment (SPE) in retaliation for the movie “The Interview,” a farcical comedy that depicted the assassination of the DPRK’s leader. The conspirators gained access to SPE’s network by sending malware to SPE employees, and then stole confidential data, threatened SPE executives and employees, and damaged thousands of computers. Around the same time, the group sent spear-phishing messages to other victims in the entertainment industry, including a movie theater chain and a U.K. company that was producing a fictional series involving a British nuclear scientist taken prisoner in DPRK.

In February 2016, the Conspiracy stole $81 million from Bangladesh Bank. As part of the cyber-heist, the Conspiracy accessed the bank’s computer terminals that interfaced with the Society for Worldwide Interbank Financial Telecommunication (SWIFT) communication system after compromising the bank’s computer network with spear-phishing emails, then sent fraudulently authenticated SWIFT messages directing the Federal Reserve Bank of NY to transfer funds from Bangladesh to accounts in other Asian countries. The Conspiracy attempted to and did gain access to several other banks in various countries from 2015 through 2018 using similar methods and “watering hole attacks,” attempting the theft of at least $1 billion through such operations.

In 2016 and 2017, the Conspiracy targeted a number of U.S. defense contractors, including Lockheed Martin, with spear-phishing emails. These malicious emails used some of the same aliases and accounts seen in the SPE attack, at times accessed from North Korean IP addresses, and contained malware with the same distinct data table found in the malware used against SPE and certain banks, the complaint alleges. The spear-phishing emails sent to the defense contractors were often sent from email accounts that purported to be from recruiters at competing defense contractors, and some of the malicious messages made reference to the Terminal High Altitude Area Defense (THAAD) missile defense system deployed in South Korea. The attempts to infiltrate the computer systems of Lockheed Martin, the prime contractor for the THAAD missile system, were not successful.

In May 2017, a ransomware attack known as WannaCry 2.0 infected hundreds of thousands of computers around the world, causing extensive damage, including significantly impacting the United Kingdom’s National Health Service. The Conspiracy is connected to the development of WannaCry 2.0, as well as two prior versions of the ransomware, through similarities in form and function to other malware developed by the hackers, and by spreading versions of the ransomware through the same infrastructure used in other cyber-attacks.

Park and his co-conspirators were linked to these attacks, intrusions, and other malicious cyber-enabled activities through a thorough investigation that identified and traced: email and social media accounts that connect to each other and were used to send spear-phishing messages; aliases, malware “collector accounts” used to store stolen credentials; common malware code libraries; proxy services used to mask locations; and North Korean, Chinese, and other IP addresses. Some of this malicious infrastructure was used across multiple instances of the malicious activities described herein. Taken together, these connections and signatures—revealed in charts attached to the criminal complaint—show that the attacks and intrusions were perpetrated by the same actors.

On 13 September 2019, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions targeting three North Korean state-sponsored malicious cyber groups responsible for North Korea’s malicious cyber activity on critical infrastructure. Today’s actions identify North Korean hacking groups commonly known within the global cyber security private industry as “Lazarus Group,” “Bluenoroff,” and “Andariel” as agencies, instrumentalities, or controlled entities of the Government of North Korea pursuant to Executive Order (E.O.) 13722, based on their relationship to the Reconnaissance General Bureau (RGB). Lazarus Group, Bluenoroff, and Andariel are controlled by the U.S.- and United Nations (UN)-designated RGB, which is North Korea’s primary intelligence bureau.

“Treasury is taking action against North Korean hacking groups that have been perpetrating cyber attacks to support illicit weapon and missile programs,” said Sigal Mandelker, Treasury Under Secretary for Terrorism and Financial Intelligence. “We will continue to enforce existing U.S. and UN sanctions against North Korea and work with the international community to improve cybersecurity of financial networks.”

Lazarus Group targets institutions such as government, military, financial, manufacturing, publishing, media, entertainment, and international shipping companies, as well as critical infrastructure, using tactics such as cyber espionage, data theft, monetary heists, and destructive malware operations. Created by the North Korean Government as early as 2007, this malicious cyber group is subordinate to the 110th Research Center, 3rd Bureau of the RGB. The 3rd Bureau is also known as the 3rd Technical Surveillance Bureau and is responsible for North Korea’s cyber operations. In addition to the RGB’s role as the main entity responsible for North Korea’s malicious cyber activities, the RGB is also the principal North Korean intelligence agency and is involved in the trade of North Korean arms. The RGB was designated by OFAC on January 2, 2015 pursuant to E.O. 13687 for being a controlled entity of the Government of North Korea. The RGB was also listed in the annex to E.O. 13551 on August 30, 2010. The UN also designated the RGB on March 2, 2016.

Lazarus Group was involved in the destructive WannaCry 2.0 ransomware attack which the United States, Australia, Canada, New Zealand and the United Kingdom publicly attributed to North Korea in December 2017. Denmark and Japan issued supporting statements and several U.S. companies took independent actions to disrupt the North Korean cyber activity. WannaCry affected at least 150 countries around the world and shut down approximately three hundred thousand computers. Among the publicly identified victims was the United Kingdom’s (UK) National Health Service (NHS). Approximately one third of the UK’s secondary care hospitals — hospitals that provide intensive care units and other emergency services — and eight percent of general medical practices in the UK were crippled by the ransomware attack, leading to the cancellation of more than 19,000 appointments and ultimately costing the NHS over $112 million, making it the biggest known ransomware outbreak in history. Lazarus Group was also directly responsible for the well-known 2014 cyber-attacks of Sony Pictures Entertainment (SPE).

Also designated were two sub-groups of Lazarus Group, the first of which is referred to as Bluenoroff by many private security firms. Bluenoroff was formed by the North Korean government to earn revenue illicitly in response to increased global sanctions. Bluenoroff conducts malicious cyber activity in the form of cyber-enabled heists against foreign financial institutions on behalf of the North Korean regime to generate revenue, in part, for its growing nuclear weapons and ballistic missile programs. Cybersecurity firms first noticed this group as early as 2014, when North Korea’s cyber efforts began to focus on financial gain in addition to obtaining military information, destabilizing networks, or intimidating adversaries. According to industry and press reporting, by 2018, Bluenoroff had attempted to steal over $1.1 billion dollars from financial institutions and, according to press reports, had successfully carried out such operations against banks in Bangladesh, India, Mexico, Pakistan, Philippines, South Korea, Taiwan, Turkey, Chile, and Vietnam.

According to cyber security firms, typically through phishing and backdoor intrusions, Bluenoroff conducted successful operations targeting more than 16 organizations across 11 countries, including the SWIFT messaging system, financial institutions, and cryptocurrency exchanges. In one of Bluenoroff’s most notorious cyber activities, the hacking group worked jointly with Lazarus Group to steal approximately $80 million dollars from the Central Bank of Bangladesh’s New York Federal Reserve account. By leveraging malware similar to that seen in the SPE cyber attack, Bluenoroff and Lazarus Group made over 36 large fund transfer requests using stolen SWIFT credentials in an attempt to steal a total of $851 million before a typographical error alerted personnel to prevent the additional funds from being stolen.

The second Lazarus Group sub-group designated was Andariel. It focuses on conducting malicious cyber operations on foreign businesses, government agencies, financial services infrastructure, private corporations, and businesses, as well as the defense industry. Cybersecurity firms first noticed Andariel around 2015, and reported that Andariel consistently executes cybercrime to generate revenue and targets South Korea’s government and infrastructure in order to collect information and to create disorder.

Specifically, Andariel was observed by cyber security firms attempting to steal bank card information by hacking into ATMs to withdraw cash or steal customer information to later sell on the black market. Andariel is also responsible for developing and creating unique malware to hack into online poker and gambling sites to steal cash.

According to industry and press reporting, beyond its criminal efforts, Andariel continues to conduct malicious cyber activity against South Korea government personnel and the South Korean military in an effort to gather intelligence. One case spotted in September 2016 was a cyber intrusion into the personal computer of the South Korean Defense Minister in office at that time and the Defense Ministry’s intranet in order to extract military operations intelligence.

In addition to malicious cyber activities on conventional financial institutions, foreign governments, major companies, and infrastructure, North Korea’s cyber operations also target Virtual Asset Providers and cryptocurrency exchanges to possibly assist in obfuscating revenue streams and cyber-enabled thefts that also potentially fund North Korea’s WMD and ballistic missile programs. According to industry and press reporting, these three state-sponsored hacking groups likely stole around $571 million in cryptocurrency alone, from five exchanges in Asia between January 2017 and September 2018.

Separately, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and U.S. Cyber Command (USCYBERCOM) have in recent months worked in tandem to disclose malware samples to the private cybersecurity industry, several of which were later attributed to North Korean cyber actors, as part of an ongoing effort to protect the U.S. financial system and other critical infrastructure as well as to have the greatest impact on improving global security. This, along with today’s OFAC action, is an example of a government-wide approach to defending and protecting against an increasing North Korean cyber threat and is one more step in the persistent engagement vision set forth by USCYBERCOM.

The Lazarus group, North Korea's state-run hacking operation, targeted two organisations in an attempt to steal research relating to Covid-19 vaccines, according to a January 2021 analysis by Kaspersky. The two attacks used different tactics, techniques and procedures (TTPs), but Kaspersky said it found enough in common – including similarities in the post-exploitation process – to convince it that the same attacker was behind both incidents. And the malware used points directly to the Lazarus group. Kaspersky doesn't name the targets in its report, but says that a government ministry of health was attacked using the wAgent malware in October 2020, with two servers being compromised. The malware opened a reverse shell, allowing the attackers access to the machines.

The second attack, in September 2020, used the Bookcode malware against a pharmaceutical firm developing and distributing a Covid-19 vaccine. This malware also has the capability to open a backdoor. Kaspersky couldn't identify the infection vector in this case. In the past, Lazarus has used spear-phishing to deliver malware, although ESET has also previously detected supply-chain chain attacks in which the malware was injected into updates for legitimate software used by targets.