The Lazarus Group: Targeted attack mitigation applies to everyone

The vast majority of targeted attacks begin with simple steps; spear-phishing with malicious attachments or clickable links, or the infection of employees’ favorite websites (water-holing) to penetrate the security perimeter through the vulnerable browsers or other software. Don’t assume that because these methodologies are well-known, they are any less effective.

One of the main obstacles to targeted attack mitigation can be the naivety of potential victims; organizations who don’t consider themselves attractive targets. Relatively small businesses, or those with a comparatively low turnover, may believe that “nobody’s going to bother about us”. This, or simple ignorance of the existence of such attacks despite all the efforts of the information security community to raise awareness, can leave businesses vulnerable.

Kaspersky Lab, in partnership with other information security companies, has deduced  that the Lazarus group has been behind a whole chain of targeted attacks over the years. It has been confirmed that the Operation Troy, DarkSeoul, Hangman/Peachpit, Volgmer, WildPositron, Duuzer attacks all originated from this single source. At the heart of one recent attack cluster is the Destover wiper. Its derivatives came in handy for the Lazarus group in these attacks. During the last two years, the number of destructive attacks with using of wipers has grown considerably.

Attack victims were to be found in a whole spectrum of different industries: it’s almost easier to list the business sectors where attack modules weren’t identified. Finance, manufacturing, publishing, government, military, media, entertainment, critical infrastructure – the list of companies of every size that suffered during the years of Lazarus activity is a long one.

It’s important to understand that no organization is immune to the threat posed by targeted attacks. For a start, smaller businesses who consider themselves insignificant may well be part of an enterprise supply chain, providing a convenient base from which to infiltrate the end-customer. The damage to customer relationships generated by such an event could well be terminal to a small business. But smaller organizations are also themselves often the final target, particularly if they underestimate the value of their data and how it could be sold on and exploited by the cybercriminal community. The diversity of Lazarus targets confirms that targeted attacks are a problem for each and every organization.

Simple doesn’t mean ineffective

The vast majority of targeted attacks begin with simple steps; spear-phishing with malicious attachments or clickable links, or the infection of employees’ favorite websites (water-holing) to penetrate the security perimeter through the vulnerable browsers or other software. Don’t assume that because these methodologies are well-known, they are any less effective. Over and again, ‘tried and trusted’ spear-phishing and water-holing have proved their worth, particularly when the choice of emails sender and content, or website URL, has been carefully thought out.

There are, of course, ways to defend against such attacks: improving employee IT literacy through education is one vital step in targeted attack mitigation, together with ditching the “nobody would bother with us” attitude.

User education is important: the only evidence that a professionally-implemented attack is taking place may be a fishy-looking email or an unexpected browser message. In the same way, this may be all you see before wiper or crypto-locker software is activated, demanding money for decrypting data on the victim’s machine. So it’s easier to fight an attack during the ‘penetration phase’, before the malware has managed to download its modules from control servers, collect all ‘marketable’ user data and infect neighboring PCs. This later, lethal, ‘activation phase’ may take place imperceptibly to the user, though it can be detected by specialized security systems.

How specialized security systems work

How can security software reveal the attack, even during the clandestine activation phase? In the same way that Kaspersky Lab and its partners identified a single source for all those attacks – with a lot of serious math and machine learning. For example, file ‘clusterization’ – separation, based on a number of criteria and the analysis of vast numbers of already clusterized files, into “white” and “black and grey” samples – gives a huge advantage when dealing with a previously unknown attack.

Wiper and crypto-locker developers can modify their creations all they want – once Destover has been exposed, self-learning systems place all the brand new family variations in the “black” file cluster.

Of course, self-learning systems are not the security companies’ only line of defense. Zero-day exploits are also regularly used in targeted attacks. The identity of exploitable vulnerabilities or ‘holes’ in popular software are sold on the black market for tens of thousands dollars, but the potential revenue generated through an exploit-based zero-day attack may well justify this level of investment. These zero-day attacks can be detected through heuristic technologies, recognizing the exploit’s suspicious behavior.

Besides heuristic methods of malware detection, ‘indicators of compromise’, key signposts to known malicious activity from newly-disclosed attacks, are added to cyber-defense systems.

For example, looking at the Lazarus group, indicators include:

  • the use of the Hangul Word Processor zero-day
  • looking for specific as well as standard virtual machine names to stop and avoid detection
  • using the same passwords when archiving modules
  • misspelling the browser name in the text string inside the code – “Mozillar”

These indicators in turn generate defensive rules, which can then be added to appropriate products throughout the IT security industry.

Best defenses against wipers include effective data backup, so that wiped data can be recovered with minimal loses. While data backup doesn’t relate directly to the information security sphere and is historically the responsibility of the IT-department, it’s a valuable additional security mechanism as part of a multi-layered defense strategy.

To be truly comprehensive, targeted attack mitigation should include:

  • organizational measures (employees education, regular trainings, developed security policies)
  • system administration activity (ban unnecessary protocols on routers, distribute user privileges thoughtfully)
  • the work of security officers (implementation of specialized systems, constant situation-monitoring preferably through a unified console).

Further actions are described in a separate document. Those recommendations relating to specialized security software are, or course, already implemented in Kaspersky Lab products.

Also check out:

Kaspersky Security Intelligence Services

Kaspersky Anti Targeted Attack Platform

AEP vs. 0-days

Tips