A group of cybercriminals called Lazarus, which in 2017 infected computers around the world with the WannaCry virus, stole about 585 million euros in cryptocurrencies. This is the biggest digital scam in history. But who are the Lazari?
In late March, the Lazarus criminal group, working for the North Korean regime, carried out what is already considered the largest known cyber heist. There were about 585 million euros in ethereum cryptocurrencies (the second most popular after bitcoin) from a website linked to the video game Axie Infinity, which the group managed to extort.
The association of the coup with the North Korean faction came from the US (USA). Blockchain consultancy Chainalysis also believes North Korean hackers may have obtained $400 million worth of digital assets last year through various attacks targeting cryptocurrency platforms.
State “sponsorship” of hacker teams is common in some countries such as China, Iran or the US, which use hackers to carry out sabotage or gain valuable information. But in the case of North Korea, things are different. The leader uses hackers to make money in order to survive the tough international sanctions that the country is facing.
Who are the Lazari?
Lazarus are cybercriminals, but they are not just digital thieves. WannaCry, the largest ransomware in history, was launched in 2017, and the United States, United Kingdom, and Microsoft have credited the North Korean group with creating the malware. This virus encrypts files and charges a fee to decrypt them. WannaCry is estimated to have affected around 300,000 computers in 150 countries, including those of the UK’s National Health Service, eventually causing them to crash.
A year earlier, in 2016, the Lazarus group tried to steal $1 billion from the Central Bank of Bangladesh. The scheme consisted of impersonating bank employees and obtaining a license to manage money. The attack failed due to a coding error. Despite this, they managed to take $81 million. The FBI called it the largest cyberattack in history.
There are also suspicions that about $530 million in tokens (digital financial assets) was stolen from the Japanese cryptocurrency exchange portal Coincheck in 2018.
But the Lazarus also carry out sabotage actions. North Korean hackers have been particularly active in 2020, when major pharmaceutical companies have been feverishly working on a Covid-19 vaccine. They attempted to hack into the computers of AstraZeneca employees who were developing the vaccine, and later tried to steal information from Pfizer.
Since North Korea is one of the few countries in the world where the pandemic was contained (until a few weeks ago), the country’s intentions may be related to sabotaging the processes of pharmaceutical companies or selling industrial secrets.
Another one of Lazar’s most notorious scams that had no economic purpose occurred in 2014 and was the first warning that North Koreans weren’t amateurs in the digital realm. The target was Sony Entertainment, the producer of the comedy film The Interview, which is about two people hired to assassinate Kim Jong-un.
A month before the scheduled release date, a group of hackers infected the computers of Sony employees. They succeeded in erasing sensitive company data, publishing salary data, and uncovering incriminating emails from some managers. They also threatened to attack cinemas showing the film, prompting major distributors to pull it off the billboard.
All the money that Lazarus stole has one purpose: to go after Kim Jong-un’s regime. Unlike other advanced persistent threats (APTs), a term by which organized groups of hackers with great capabilities are known, Lazarus operates with the primary goal of financially supporting the North Korean regime.
Typically, APTs — the government-run and sponsored teams that sit at the top of the hacker pyramid — are very well structured and hierarchical, with departments and professionals whose roles are clearly defined, and have the economic resources that allow them to develop sophisticated attacks. , smoothly and quickly. On paper, only the intelligence agencies of the great powers (the US, Russia, or the UK) have more power than the PLA.
Due to the very nature of the Internet, where it is easy to go unnoticed, cyberattacks are very difficult to identify. “APTs are mostly traced through clues provided by the intelligence services and code features, but it can take months to conduct a high-quality forensic analysis that determines authorship,” explains hacker and cybersecurity analyst Deepak Daswani, quoted by El País newspaper. This is why governments use APT to sabotage, spy, or conduct intelligence operations without provoking diplomatic incidents.
In the case of the Lazarus group, the purpose of running ransomware is to raise money to support a regime that, due to international sanctions, has to resort to other means to achieve its goals.
