North Korean Lazarus Group Hacked Energy Providers Worldwide

  • A malicious campaign conducted by the North Korean threat actor Lazarus Group targeted energy providers around the world between February and July 2022.

    The campaign was previously partially disclosed by Symantec and AhnLab in April and May, respectively, but Cisco Talos is now providing more details about it.

    Writing in an advisory on Thursday, the security researchers said the Lazarus campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain initial access to targeted organizations.

    “The initial vector was the exploitation of the Log4j vulnerability on exposed VMware Horizon servers. Successful post–exploitation led to the download of their toolkit from web servers,” the team wrote.

    “In most instances, the attackers instrumented the reverse shell to create their own user accounts on the endpoints they had initial access to.”

    In terms of the tools used in these attacks, Cisco Talos said they discovered the use of two known malware families, VSingle and YamaBot, alongside the deployment of a recently disclosed implant they called ‘MagicRAT.’

    “Once the backdoors and implants were persisted and activated on the endpoint, the reverse shell used to perform cleanup[…], this included deleting all files in the infection folder along with the termination of the PowerShell tasks,” explained Cisco Talos.

    “The attacker–created accounts were removed and finally, the Windows Event logs […] would be purged.”

    According to Cisco Talos, organizations targeted in the recent Lazarus attacks included energy providers from different countries, including the US, Canada and Japan.

    “The campaign is meant to infiltrate organizations around the world for establishing long–term access and subsequently exfiltrating data of interest to the adversary’s nation–state,” reads the technical write–up.

    The new Cisco Talos advisory is only the latest in a long list describing the Lazarus Group’s hacking operations over the summer.

    In June, blockchain analytics company Elliptic suggested the threat actor may be behind the $100m theft from cryptocurrency firm Harmony. More recently, The Block connected the group to Axie Infinity’s $600m hack.