Lazarus Group: A criminal syndicate with a flag

The Lazarus Group is a notorious state-sponsored cybercrime organization linked to the Democratic People’s Republic of Korea (DPRK, North Korea). The group operates within the nation’s primary intelligence agency, the Reconnaissance General Bureau (RGB). Analysts believe most Lazarus Group members operate from Pyongyang, North Korea, with some operating abroad via foreign outposts or cover companies. One example of a foreign operation is detailed in this 2018 statement by the U.S. Department of Justice:

Park Jin Hyok, was a computer programmer who worked for over a decade for Chosun Expo Joint Venture … and is affiliated with Lab 110, a component of DPRK military intelligence.  …  Security researchers that have independently investigated these activities referred to this hacking team as the “Lazarus Group.”  

The Lazarus Group has been active since at least 2009 and has become one of the most prolific and versatile threat actors in the world.

What is the Lazarus Group?

The name ‘Lazarus Group’ originally referred to a single threat actor or “small set of coordinated actors” linked to North Korea. Today, it is an umbrella term describing the many subgroups, or threat clusters, assigned to cyber operations within DPRK military intelligence. Mandiant researchers created this diagram in 2024 to illustrate their best assessment of the DPRK hierarchy:

Before we dig into the Lazarus Group clusters, let’s quickly look at the Ministry of State Security (MSS) and APT37. The MSS is a civilian secret police and counterintelligence agency that conducts domestic surveillance and political security activities. The MSS controls the flow of information inside the country and monitors the North Korean population for loyalty.

APT37 performs cyberoperations supporting the mission of the MSS. In 2020-2021, the group targeted COVID-19 researchers as part of DPRK’s pandemic response. The group also performs ongoing targeting of South Korean organizations that assist North Korean defectors. APT37 isn’t commonly considered part of Lazarus Group.

Lazarus Group threat clusters reside within the RGB. Researchers originally traced the clusters to the 5^rd Bureau and 3rd Bureau within the RGB, as you see in this diagram from 2020: 

The distinction here is based on mission focus. Mandiant researchers concluded the 5^th Bureau was focused on South Korea and other regional targets, while the 3^rd Bureau was assigned to foreign intelligence. The financially motivated Lazarus Group clusters were linked to Lab 110, while Bureau 325 conducted information warfare and influence operations against South Korea.

The COVID-19 pandemic disrupted the DPRK cyber operations and severed the foreign operators from their leadership in Pyongyang. Threat actors abroad began collaborating in different ways and started running ransomware campaigns to fund their groups without support from the RGB. As a result, the DPRK cyber operations coming out of the pandemic were much different than before. The Bureau alignment became less relevant as the geopolitical interests of North Korea evolved. As a result, the 2024 assessment eliminates the bureau distinctions and puts Lazarus Group clusters directly below the RGB.

Lazarus Group clusters

There are multiple active clusters in the RGB, and most of them are tracked by more than one name. These clusters collaborate, share infrastructure and tools, and sometimes splinter into additional groups for specific projects. Lazarus Group actors benefit from the protection and support of the regime, and they are provided information from multiple sources throughout the DPRK intelligence system. This allows the group leadership and operators to identify and adapt quickly to new opportunities.

Researchers are commonly tracking five to eight clusters at a time, including the project-based clusters that come and go. The following four clusters are the primary groups:  

• TEMP.Hermit, aka Diamond Sleet, Labyrinth Chollima, Selective Pisces, TA404: This cluster targets government, defense, telecommunications and financial institutions worldwide. The term “Lazarus Group” refers most often to this cluster of activities.
•  APT43, aka Kimsuky, Velvet Chollima, Black Banshee, Emerald Sleet, Sparkling Pisces, Thallium: North Korea's premier intelligence collection unit. This group conducts sophisticated espionage targeting South Korea, Japan, and U.S. government, defense and academic sectors.
•  APT38, aka Bluenoroff, Stardust Chollima, BeagleBoyz, CageyChameleon: This threat is the top financially motivated operation in the DPRK. These operations target banks, cryptocurrency exchanges and DeFi platforms. APT38 circumvents sanctions through massive cryptocurrency theft operations.
• Andariel, aka APT45, Silent Chollima, Onyx Sleet DarkSeoul, Stonefly, Clasiopa: This is a dual-purpose cluster that conducts cyber espionage against defense/aerospace/nuclear sectors and ransomware operations against healthcare organizations. The ransomware operations fund intelligence activities.

Lazarus Group operations have two primary missions. Besides the espionage and sabotage activities, the group is charged with capturing funds for the regime. The North Korean economy depends on this illicit revenue because the country has been isolated and dealing with international sanctions for many years. Cybercrime is a relatively low-cost activity that delivers reliable (so far) and sanction-proof funds that the regime can use as desired. Experts suspect the funds are used to develop weapons programs. From a 2024 United Nations report:  

The Panel is investigating 58 suspected cyberattacks by the Democratic People’s Republic of Korea on cryptocurrency-related companies between 2017 and 2023, valued at approximately $3 billion, which reportedly help to fund the country’s development of weapons of mass destruction.

The DPRK will continue these cyberattacks as long as they remain profitable and international sanctions remain in place. Lazarus Group financial crime operations are a foundational and indispensable component of North Korea's national economy.  

That’s not to say that intelligence gathering isn’t important as well. During the pandemic, the group was found stealing sensitive COVID-19 vaccine research from Pfizer, AstraZeneca and several other pharmaceutical firms and health ministries. It also targeted Ukrainian government entities while officials were distracted by the start of the Russian invasion.

Researchers at Kaspersky concluded that Lazarus Group threat clusters are structured to separate and protect espionage activities from financially motivated cybercrime. This structure also allows the RGB to provide only the most relevant information to each cluster, though this is just speculation. These clusters have been observed sharing malware, servers and other infrastructure, and even personnel, so it's possible they all have access to the same RGB intelligence.    

Origin story

North Korea’s cyber capabilities started in 1990 with the establishment of the Korea Computer Center (KCC), which acted as the primary agency responsible for information technology strategy. In 1995 and 1998, then Supreme Leader Kim Jong Il issued directives for the Korean People’s Army (KPA) to pursue cyber capabilities.

The KPA was about twice the size of its South Korean counterparts, but it lacked equipment and capabilities. Kim Jong Il recognized cyber operations could be an effective weapon to make up for the gap in military strength. Experts believe that “cyber warfare” was formalized as a military domain in 1998, and students were being trained in this specialty by 2000.

Lazarus Group emerged as a threat actor in the late 2000s, shortly after the United Nations sanctioned the DPRK for its 2006 nuclear test. Sanctions continued to tighten as current Supreme Leader Kim Jong Un came to power and his regime prioritized demonstrations of its military and digital strength. In this environment, Lazarus grew into a state revenue engine based on economic theft and global ransomware.

The first campaign attributed to Lazarus Group was “Operation Troy,” which began in 2009 as a wave of distributed denial-of-service (DDoS) attacks against U.S. and South Korean government websites. These attacks continued through 2013, maturing into a sophisticated operation that included espionage and information theft. Destructive wiper malware was launched against targets near the end of the operation.  

In March 2011, Lazarus Group launched a campaign that became known as Ten Days of Rain. South Korean media outlets, banks and critical infrastructure were hit with waves of increasingly sophisticated DDoS attacks that were launched from compromised computers located within South Korea. Two years later, the group launched the DarkSeoul wiper attack that took down three major broadcasters, financial institutions and an ISP.

Lazarus Group made its mark as a sophisticated global threat on November 24, 2014, when it infiltrated Sony Pictures Entertainment. The group stole and published terabytes of internal data that included email, employee information and unreleased films and scripts. Sony workstations were also hit with malware that left them unusable. This attack was retaliation for “The Interview,” a comedy film about a plot to kill North Korea’s leader. North Korea denies involvement in the attack, but researchers and U.S. officials confidently attribute the attack to Lazarus Group.

Financial attacks

Lazarus Group accelerated its financial crimes around 2015. The group was linked to a $12 million theft from Banco del Austro in Ecuador and $1 million from Tien Phong Bank in Vietnam. These were precursors to the Bangladesh Bank heist in February 2016, where Lazarus exploited the SWIFT banking network to steal $81 million before being discovered and stopped.

In 2017 Lazarus Group unleashed the WannaCry ransomware worm, which spread globally and encrypted data on hundreds of thousands of computers. The attack caused an estimated $4 billion in damages worldwide and over $100 million in UK healthcare disruption. The group collected only about $160,000, which led many researchers to believe that WannaCry was a demonstration of power rather than a typical ransom scheme.

Around the same time, Lazarus was launching attacks on cryptocurrency exchanges, banks and FinTech companies. By September 2018, the group had stolen about $571 million in cryptocurrency from five Asian exchanges, including roughly $530 million stolen from Coincheck (Japan).

In 2020, Lazarus carried out a supply chain attack against the application management program WIZVERA VeraPort. This program was part of the security mechanisms used by South Korea to protect government and internet banking websites. This was followed by an attack on VoIP software provider 3CX in 2023. Both attacks showed the group’s ability to conduct stealthy multi-stage attacks on software supply chains.

Fake worker job scams

One of the group’s current strategies is the use of fake job offers and employee scams to infiltrate companies. These schemes are broadly known as “Operation Dream Job,” and they primarily target the defense, aerospace and government sectors in the United States, Israel, Australia, Russia, and India.

In one version of this attack, threat actors impersonate recruiters at prestigious companies. These fake recruiters use online profiles and open source intelligence (OSINT) to target individuals working in industries like cryptocurrency, FinTech, defense or software development. The ‘recruiter’ contacts prospects on LinkedIn or email with an offer to apply for a high-paying position. If the target expresses interest, the threat actor sends a job description or employment contract, which is a malware-laced document. This attack worked successfully against an engineer at Axie Infinity, resulting in a $540 million loss to the company.

A second version of the attack involves threat actors posing as IT workers or freelancers. Thousands of North Korean tech workers have been dispatched abroad to masquerade as South Korean, Japanese or Western freelancers. These operatives take on software development or cryptocurrency-related jobs in global companies under false names. There are also operatives working through laptop farms, which hide the true origin of the threat actor.

Some of these North Korean workers are tasked with earning an income for the RGB. Others are charged with gaining insider access so they can siphon funds, steal intellectual property, or plant malware to assist with future Lazarus attacks. 

These fake worker scams turn corporate recruiting into an attack vector. Other threat groups use similar attacks, but none have matched the success or reach of those linked to Lazarus Group.

Infection chain and favorite tactics

Lazarus Group uses several common tactics to gain access to a system:

• Spear phishing emails: Lazarus has been observed sending targeted phishing emails to victims. These are often political or financial messages urging the recipient to act on a malicious attachment or URL and are sometimes combined with zero-day exploits in common software. This remains the group’s primary initial access technique.
• Exploitation of software vulnerabilities: Lazarus uses and sometimes develops zero-day exploits, and they can weaponise publicly known exploits very quickly.
• Watering hole attacks and strategic web compromise: The group will use these tactics to reach a target demographic. In one attack, Lazarus Group injected malicious code into a Polish financial regulator’s site to infect bank employees with malicious downloads. The group has also compromised legitimate software update sites to deliver compromised installers.
• Supply Chain Attacks: Lazarus is adept at supply chain compromises, as demonstrated by the attacks mentioned earlier.
• Social engineering and fake personas: Beyond the worker scams, Lazarus creates other fake identities like potential business partners or investors. For example, they’ve posed as venture capitalists interested in investing in a crypto startup to build rapport and then share a malware-laced “due diligence document.”
• Malware planted by a Lazarus conspirator: The ‘fake workers’ who infiltrate foreign companies may drop malware in a system to open a door for Lazarus Group operators.

Lazarus Group’s non-social engineering attacks exhibit a full APT attack chain, starting with initial access via spear phishing email or exploited vulnerability. Once inside the network, threat actors drop malware that opens a simple backdoor that confirms connectivity with command-and-control (C2) servers. If the group determines the infected machine is a domain controller or other sensitive device, it will proceed with the attack.

At this point, Lazarus Group will install a full toolkit on the target system. This includes more advanced tools like keystroke loggers, network scanners and second-stage backdoors that can fully control the machine. These payloads are hidden in the registry or masked as legitimate files to avoid detection.

The next step is to escalate privileges and move laterally across servers, which is usually accomplished with known exploits or stolen credentials. Depending on the mission, they might search for and steal specific data or identify financial transaction systems and prepare to steal funds. For example, in the ‘FASTCash’ operation, Lazarus implanted malware on banks’ payment switch servers to approve fraudulent ATM cash withdrawals.

The group attempts to cover its tracks in a few different ways. One method is to configure destructive malware to execute at a scheduled time. This was the case in the Bangladesh Bank heist, where the group planted malware that would alter or remove transaction records and delete log files. This was intended to prevent the bank from seeing the fraudulent transfers. Lazarus has also planted Russian-language snippets and code from other nations’ malware to make attribution more difficult. They also operate through computers in other countries to hide the North Korean IPs.

The defectors

A lot of the information we have on North Korea and Lazarus Group comes from former members of the RGB and other high-level agencies. These defectors now live and work under different identities, so you can assume the following individuals are using pseudonyms.

The most prominent defector is Kim Kuk-song, who was involved in North Korean intelligence for 30 years. He fled to South Korea in 2014.  

In an interview with BBC in 2021, Kim confirmed that Lazarus Group is state-controlled at a high level, and the agents are highly trained and directed to “earn money at all costs” for the Supreme Leader. He described cyberspace as a “secret war” for North Korea, and that these operatives accomplish missions that conventional military cannot.  He also affirmed that cyber operations are used to eliminate enemies and support the other illicit businesses of North Korea, such as drug and arms trafficking.

Kim Heung-kwang is a former professor of computer science who taught the operatives working in the RGB. He defected in 2004 and estimates that North Korea had around 6,000 trained cyber warriors by 2015.

Jang Se-yul left North Korea in 2007. He studied at Mirim University, which is the elite military college for cyber operatives. In a Reuters interview, he said RGB threat actors were handpicked and trained from a young age, and there were about 1,800 of them by 2014. He also confirmed that the families of North Korean hackers that operate in China and other countries are held as ‘collateral,’ but may be rewarded for the success of the cyber operation.

Some low-level defectors who worked in IT have mentioned that cyber operatives live in much better conditions than the average citizen. Perks include better food and access to foreign movies and global news. These are luxuries in the DPRK.

While defectors’ stories vary, they consistently describe a centralized, tightly controlled, and well-funded hacking program. These accounts also reveal the mindset behind the operations: Lazarus Group members see themselves as loyal workers serving their country, driven by privilege, ideology and concern for their families.

Protect yourself

The Lazarus Group is a legitimate global threat on multiple levels. They can disrupt companies around the world, steal hundreds of millions in cryptocurrencies and bank transfers, infiltrate companies as employees with fake personas, infect companies through job recruiting scams, and so much more. It’s critical we remain vigilant against Lazarus Group, which already considers itself at war with the world.

Guarding against fake job and employee scams:

• Strict verification in hiring: Companies should implement thorough vetting of new hires, especially for remote positions. This includes conducting live video interviews (multiple rounds) to verify the person’s identity against their documents and performing rigorous background checks.
• Awareness training for HR and hiring managers: HR staff should be trained to spot signs of a fake candidate. Common red flags are refusal to take video calls, odd schedules that may suggest foreign time zones, and resumes that seem too perfectly matched or too generic.
• Employee education on unsolicited job offers: Employees should be educated that unsolicited job offers can be a phishing lure, and that legitimate recruiters do not ask candidates to install applications or run executables during the hiring process. Encourage employees to disclose high-profile job offers that appear out of the blue, so the company can determine whether it is an attack.
• Secure personal accounts: Encourage employees to secure their personal email and social media with strong, unique passwords and two-factor authentication. Lazarus sometimes uses stolen credentials to compromise personal email or LinkedIn accounts of employees. Good password management reduces the risk of a successful compromise.

Defending against Lazarus Group cyberattacks:

• Patch management and network segmentation: One of the best defenses is to eliminate the gaps exploited by Lazarus Group. Patch critical software promptly to prevent Lazarus from using known vulnerabilities as entry. The Bangladesh Bank hack reportedly succeeded partly because of unpatched systems and no firewall egress filters. Segment your network to restrict lateral movement, and be sure to isolate sensitive systems on their own network with limited access.
• Endpoint protection: Deploy advanced tools like Barracuda Managed XDR on workstations and servers. Lazarus malware that executes on endpoints will be caught by this protection. The group constantly morphs malware, but behavior-based detection can flag and alert on suspicious processes.
• Strong identity and access management (IAM): Enforce multi-factor authentication (MFA) everywhere, particularly for remote access and administrative accounts. Enforce the principle of least privilege and ensure that employees have only the permissions necessary to perform their work. High-value systems should only be accessible by a small number of accounts secured by MFA or physical tokens like a YubiKey or Thetis.
• Monitor outbound traffic: Lazarus uses C2 servers to manage attacks and exfiltrate data. Use network monitoring to detect anomalies like uploads from an internal server to an unknown external IP, or continuous beaconing to an IP that is unknown to the business. A data loss prevention (DLP) solution can help detect and stop the exfiltration of sensitive data.
• Email security and anti-phishing: Strengthen email gateways to filter out malicious attachments and links. Use sandboxing for attachments and URL rewriting to analyze links when clicked. This will help defend users against spear phishing and job recruitment attacks. Train employees to verify unexpected emails and deploy routine phishing simulations and security drills.
• Incident response plan & backups: Have an incident response plan and regularly backup critical systems offline. If a threat actor like Lazarus Group wipes or encrypts data, you should be able to restore it from a protected backup system. Practice your incident response and data recovery procedures.
• Threat hunting for known Lazarus Group techniques: Proactively search in your environment for signs of Lazarus. Look for known malware hashes and other suspicious behavior. Check for legitimate tools like TightVNC or unusual scheduled tasks, which can be indicators of an attack.
• Embrace Zero Trust: Adopt a zero-trust approach, assuming any user or device could be compromised at any time. Zero trust validates the user and device continuously, even between internal segments, and will catch machines and users attempting to access something beyond what is allowed.  

Barracuda can help

With an AI-powered cybersecurity platform, your business can maximize protection and cyber resilience. A unified platform that provides advanced protection, real-time analytics and proactive response capabilities helps eliminate security gaps, reduce operational complexity and improve visibility. By consolidating key security functions, a cybersecurity platform can minimize your administrative burden and simplify operations. With guidance from cybersecurity experts, you can leverage all the benefits of a unified cybersecurity platform. 

Additional Resources

• Full DOJ complaint against Park Jin Hyok (re: Chosun Expo Joint Venture)
• FBI wanted poster of Park Jin Hyok: https://en.wikipedia.org/wiki/Lazarus_Group
• Video–Is that remote worker even real? (YouTube)