A “direct link” has been identified between North Korea and an advanced hacking group known as Lazarus, cybersecurity researchers said Monday, bolstering allegations surrounding Pyongyang’s involvement in a slew of global bank heists.
While speculation has swelled for months involving North Korea’s purported role in a hacking scheme that resulted in $81 million being stolen last year from the Bangladesh central bank, Russia’s Kaspersky Labs on Monday said its found forensic evidence potentially linking one to the other.
In a statement Monday, Kaspersky said a research partner came across the possible link while conducting a forensic analysis of a computer server used by a Lazarus subgroup known as Bluenoroff to command and control cyberattacks.
Lazarus and Bluenoroff hackers typically masked their attacks by routing their internet traffic through proxy servers located in various parts of the world, Kaspersky reported. In one instance in January, however, a hacker connected to the group’s command-and-control server from a particularly unusual IP address originating in North Korea, according to Kaspersky.
The hacker appeared to have install a memory-intensive application on the server that subsequently caused it to crash, likely prompting the hacker to abort their operation without properly wiping away any evidence of their activities, Kaspersky concluded.
Though the connection far from definitively connects North Korea to the spree of global banking hacks, Kaspersky suggested the latest clue is the best evidence to emerge yet to support of the theory, lending credence to conclusions reached separately by competing researchers.
“This is the first time we have seen a direct link between Bluenoroff and North Korea,” Kaspersky Lab’s Global Research’s Analysis Team wrote in a blog post Monday.
“North Korea is a very important part of this equation,” Vitaly Kamluk, the head of Kaspersky’s Asia-Pacific research team, told CNN.
In addition to last year’s last years’s Bangladeshi bank hack, cybersecurity researchers have previously linked the so-called Lazarus Groups to the 2014 cyberattack against Sony Pictures Entertainment, in addition to other high-profile intrusions.
Kaspersky declined to definitively link Lazarus to North Korea, but the firm suggested the sophistication of its cyberattacks on par with other nation states.
“This level of sophistication is something that is not generally found in the cybercriminal world. It’s something that requires strict organization and control at all stages of operation,” Kaspersky said.
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.