Group: Lazarus group, COVELLITE, ...
|Lazarus group, COVELLITE, ...|
|Associated Groups||Lazarus group, COVELLITE, HIDDEN COBRA, ZINC, Guardians of Peace|
|External Contributors||Dragos Threat Intelligence|
Lazarus group is a suspected North Korean adversary group that has targeted networks associated with civilian electric energy in Europe, East Asia, and North America.12 Links have been established associating this group with the WannaCry ransomware from 2017.3 While WannaCry was not an ICS focused attack, Lazarus group is considered to be a threat to ICS.
North Korean group definitions are known to have significant overlap, and the name Lazarus Group is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea.1 Some organizations track North Korean clusters or groups such as Bluenoroff, APT37, and APT38 separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.
Associated Group Descriptions
- Spearphishing Attachment - Lazarus group has been observed targeting organizations using spearphishing documents with embedded malicious payloads.4 Highly targeted spear phishing campaigns have been conducted against a U.S. electric grid company.7
- CISA. (n.d.). HIDDEN COBRA - North Korean Malicious Cyber Activity. Retrieved October 31, 2019.
- Dragos. (n.d.). Covellite. Retrieved October 27, 2019.
- CISA. (2017, May 12). Alert (TA17-132A). Retrieved October 31, 2019.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
- CISA. (2017, June 13). HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure. Retrieved December 6, 2019.
- Brad Smith. (2017, December 19). Microsoft and Facebook disrupt ZINC malware attack to protect customers and the internet from ongoing cyberthreats. Retrieved December 6, 2019.
- Eduard Kovacs. (2018, March 1). Five Threat Groups Target Industrial Systems: Dragos. Retrieved January 3, 2020.
- Symantec Security Response. (2017, May 22). WannaCry: Ransomware attacks show strong links to Lazarus group. Retrieved December 9, 2019.