Kaspersky researchers have identified a new, previously unknown, campaign from Lazarus, a highly prolific advanced threat actor active since 2009 that has been linked to a number of multifaceted campaigns.
Since early 2020, it has been targeting the defence industry with a custom backdoor dubbed ThreatNeedle. The backdoor moves laterally through infected networks gathering sensitive information.
Lazarus is one of today’s most prolific threat actors. Active since 2009, Lazarus has been involved in large-scale cyberespionage campaigns, ransomware campaigns and even attacks against the cryptocurrency market. While the past few years they’ve been focusing on financial institutions, at the beginning of 2020, it appears they have added the defence industry to their ‘portfolio’.
“Lazarus was perhaps the most active threat actor of 2020 and it doesn’t appear that this will change anytime soon. In fact, already in January of this year, Google’s Threat Analysis Team reported that Lazarus had been seen using this same backdoor to target security researchers. We expect to see more of ThreatNeedle in the future, and we will be keeping an eye out,” said Seongsu Park, Senior Security Researcher, Global Research and Analysis Team (GReAT).
Vyacheslav Kopeytsev, Security Expert, Kaspersky ICS CERT added that: “Lazarus is not just highly prolific but highly sophisticated. Not only were they able to overcome network segmentation, but they did extensive research to create highly personalised and effective spear phishing emails and built custom tools to extract the stolen information to a remote server. With industries still dealing with remote work and, thus, still more vulnerable, it’s important organisations take extra security precautions to safeguard against these types of advanced attacks.
Click below to share this article