Article By NCC Group 30 June 2022 Article Threat Intelligence In this article The North Korean threat actor, Lazarus, has operated for more than 10 years and is behind infamous cyber incidents such as the attack on Sony Pictures in 2014 and the spread of the WannaCry ransomware in 2017. Unlike other state actors, Lazarus is highly financially motivated and attempts to boost the feeble North Korean economy. Due to government support and instigation, North Korean threat actors face no risk of prosecution in their home country; on the contrary. It’s therefore very likely that the Lazarus group will continue to operate for years to come. State actors are cyber threat groups that operate in the interests of their state. They generally engage in espionage, stealing sensitive information to benefit their homeland politically or economically; Sometimes, they perform sabotage, as part of broader military operations, for reasons of national security or to political ends. They are rarely financially motivated, and this is where the North Korean threat group known as Lazarus differs from most other state actors: starting in 2009, it robs banks and hacks into cryptocurrency exchanges to fill its state coffers. Boosting the North Korean economy with WannaCry ransomware and other nation state cyber attacks Isolated from the rest of the world, a political pariah, and facing sanctions, the North Korean economy is in dire straits. The regime has found cybercrime as one of its ways to boost the economy; And the regime needs money (and knowledge) to further its national ambitions, such as the development of missiles and nuclear weapons. To get there, North Korean cyber criminals conduct attacks on banks and cryptocurrency exchanges and export ransomware. Lazarus gained notoriety for its attack on Sony Pictures in 2014 and an ingenious cyber heist on the Central Bank of Bangladesh in 2016 that stole $81 million. That loot, however, was but a fraction of what it could have been, but more on that later. In May 2017, Lazarus spread the WannaCry ransomware, encrypting victims' files and demanding a ransom between $300 and $600 in bitcoin to unlock their data. The attackers presumably withdrew approximately $150.000 worth of bitcoin several months after the attack. More than 200,000 computers across 150 countries were hit, with total estimated damages ranging from $4 billion to even hundreds of millions to billions of dollars. In the UK, for example, the national health service suffered a particularly hard blow; emergency departments were affected, and urgent appointments had to be rescheduled. Total estimated damage for the NHS: £ 5,9 million. A strongly motivated threat actor These and other sophisticated attacks have shown Lazarus to be a formidable threat group. However, the group is generally perceived not to be on par with many other state-backed threat groups. Our research into adversarial operations indicates that Lazarus consists of different teams of varying quality; top teams exhibit highly skilled operational capabilities, but some activities appear to be executed by lower-tier operators. There is also a suspicion that other hackers are carrying out attacks on behalf of Lazarus. However, the teams are strongly motivated to continue until they reach their goal. Lazarus develops their own attack tools and malware, can use innovative attack techniques, works very methodically, and takes their time. In particular, the North Korean methods aim to avoid detection by security products and to remain undetected within the hacked systems for as long as possible. Get monthly updates on the latest threat intel straight in your inbox. Sign up for our Threat Pulse newsletter. Sign up More reckless than Russian threat actor groups At the same time, North Korean threat actors distinguish themselves from other sophisticated groups by operating more recklessly, as if they are not afraid of being caught. In any case, they have nothing to fear from the North Korean government; after all, they operate in the interests of the state and their Great Leader. This gives North Korean actors even more room to achieve their goals than state actors from other countries. The country is not or hardly sensitive to external (political) pressure to comply with internationally accepted rules. The country has no regard for what other countries consider acceptable behavior. Now it is also said about Russia that nothing hinders hackers there. But the sudden disappearance of the notorious Russian groups DarkSide and REvil after their recent disruptive ransomware attacks makes it likely that Russia has succumbed to American political pressure. State-run training Free internet does not exist in North Korea. The government completely controls internet access. The possibility that North Korean hackers can do anything on their own is, therefore, virtually impossible. All cyber attacks are undoubtedly explicitly authorized or even initiated and directed by the regim