Threat actor profile: Lazarus

The Lazarus Group, also known by aliases such as Hidden Cobra, APT38 or Labyrinth Chollima, is one of the most prolific, versatile and eccentric threat actors on the global stage. The advanced persistent threat (APT) group is believed to operate under the Reconnaissance General Bureau, North Korea’s primary intelligence agency. It is estimated that the group has around 3,300 members. Since emerging in the mid-2000s, Lazarus has been responsible for some of the most high-profile cyberattacks in the last decade, including the Sony breach (2014), Bangladesh bank heist (2016), WannaCry ransomware attacks (2017), as well as many of the well known heists on crypto exchanges. This page will provide an overview of the group's history and preferred tactics, as well as looking towards the future to see how this persistent threat actor may evolve in the years to come.

Aliases: Hidden Cobra, APT38, Andariel, Unit 121, Bureau 121, NewRomanic Cyber Army Team, BlueNorOff, Labyrinth Chollima, Guardians of Peace, CTG-6459, TEMP.Hermit, T-APT15, Black Alicanto, TA444, TAG-71
Strategic motives: Espionage, financial gain, disruption, destruction
Affiliation: North Korean Reconnaissance General Bureau
Cyber capabilities: ★★★★☆
Target sectors: Aerospace, Banking & Investment Services, Biotech, BitCoin exchanges, Defense, Energy, Engineering, Financial, Government, Healthcare, Industrials, Media, Media & Publishing, Shipping and Logistics, Technology, Transportation
Observed countries: Albania, Andorra, Argentina, Australia, Austria, Bangladesh, Belarus, Belgium, Bosnia, Bosnia and Herzegovina, Brazil, Bulgaria, Canada, Chile, China, Costa Rica, Croatia, Czech Republic, Denmark, Ecuador, Estonia, Finland, France, Germany, Ghana, Greece, Guatemala, Herzegovina, Holy See, Hong Kong, Hungary, Iceland, India, Indonesia, Ireland, Israel, Italy, Japan, Jordan, Kenya, Kuwait, Latvia, Liechtenstein, Lithuania, Luxembourg, Macau, Malaysia, Malta, Mexico, Moldova, Monaco, Mongolia, Montenegro, Mozambique, Nepal, Netherlands, Nicaragua, Nigeria, North Korea, North Macedonia, Norway, Pakistan, Panama, Peru, Philippines, Poland, Portugal, Romania, Russia, San Marino, Serbia, Singapore, Slovakia, Slovenia, South Africa, South Korea, Spain, Sweden, Switzerland, Taiwan, Tanzania, Thailand, Togo, Turkey, Uganda, Ukraine, United Kingdom, United States, Uruguay, Vietnam, Zambia

The earliest signs of the Lazarus group can be traced back to 2007, when North Korea was under the rule of Kim Jong Il, father of the current leader Kim Jong Un. It is believed that Lazarus was established as a cyber warfare unit under the Reconnaissance General Bureau (RGB), North Korea’s primary intelligence agency. During this period, the development of cyber capabilities was seen as essential to the regime’s asymmetric warfare strategy. Kim Jong Il was said to be an enthusiastic proponent of this, stating that “cyber-attacks are like atomic bombs” and that “war is won and lost by who has greater access to the adversary’s military technical information in peacetime.” The Lazarus group’s earliest operations tended to focus on espionage and disruption, primarily targeting organizations in the United States and South Korea.

After the death of Kim Jong Il in 2011, Kim Jong Un sought to expand on his fathers’ vision and harness the state’s cyber capabilities to generate revenue for the sanction-hit regime. Starting in 2015, Lazarus began conducting financially motivated operations, first focusing on banks and later cryptocurrency exchanges. North Korea has a long history of using criminal activities, including counterfeiting, drug trafficking and insurance fraud, to support its struggling economy. With its growing cyber capabilities, shifting these efforts to cyberspace likely felt like a natural evolution.

What makes Lazarus stand out from other APTs is the breadth and diversity of its operations; the group has targeted a wide range of sectors over the years, including but not limited to the aerospace, banking, pharmaceuticals, energy, healthcare, technology, education, and transportation sectors. The group’s targeting appears to shift in line with the regime’s ambitions, as well as external events such as the COVID-19 pandemic. The regime relies on espionage and information theft to bypass (often difficult and expensive) R&D processes that are required for the advancement and modernization of the state.

Additionally, Lazarus has repeatedly targeted governments and military organizations to obtain intelligence and undermine their adversaries. In 2016, the group breached South Korea’s Defense Ministry and reportedly obtained classified military documents outlining a joint US-South Korea combat strategy, including procedures to “decapitate” the North Korean leadership. Such campaigns are used to strengthen North Korea’s strategic position and pre-empt threats from their regional neighbors.

Group structure

It should be noted that the Lazarus group is often used as an umbrella term referring to multiple North Korean cyber operators. Based on analysis of various toolsets and attack patterns, Lazarus can be divided into sub-groups with varying objectives. Two commonly cited sub-groups are BlueNorOff, which is believed to be the unit responsible for financially motivated attacks, and AndAriel, which focuses its operations on foreign businesses, government agencies, and financial services infrastructure. According to some estimates, BlueNorOff (also referred to as APT38) boasts approximately 1,700 members, while AndAriel has around 1,600 members.

In addition to BlueNorOff and AndAriel, Mandiant designates an additional sub-group - TEMP.Hermit. This unit is believed to focus on strategic intelligence gathering and is known to have targeted organizations in the government, defense, telecommunications, and financial sectors. It is believed that these three units are subordinate to an agency named Lab 110, previously Bureau 121, which is known as North Korea’s primary hacking unit. The relationship between these groups is shown in the chart below.

Screenshot 2024-08-07 at 15.33.58

Figure 1. Assessed structure of North Korean APT groups (Source: Mandiant)

However, it’s worth noting that due to the inherently clandestine nature of cyber threats, verifying this structure is no easy task. To complicate matters further, there are overlaps in tools and techniques between North Korea’s Kimsuky and APT37. This poses challenges for attribution and obscures our view of how these cyber teams are organized.

In late 2021, an unnamed aerospace company in the Netherlands was targeted by one of the Lazarus group’s trademark recruitment scams. An employee was contacted by individuals posing as Amazon recruiters and lured into opening malicious documents sent via email and LinkedIn. Upon opening, various tools including droppers, loaders, and HTTP(S) backdoors were deployed on the victim’s systems. One notable aspect of this campaign was the group’s use of a user-mode component to exploit the CVE-2021-21551 vulnerability in a legitimate Dell driver, from which kernel memory could be written, marking the first recorded abuse of this vulnerability in the wild. The attackers leveraged their kernel memory write access to disable key Windows monitoring mechanisms, including registry tracking, file system monitoring, and event tracing. This effectively blinded security solutions, allowing Lazarus to roam freely without detection Such a sophisticated approach again highlights the group’s ability to conduct deep research and develop advanced exploitation techniques.

At Hunt & Hackett, we have observed the use of these techniques by Lazarus firsthand. In one of our previous investigations, we observed Lazarus sending highly targeted spear phishing messages disguised as job offers via the online messaging platform Telegram. As was the case with their 2021 campaign, tools such as loaders and backdoors were dropped onto the victim’s system once the malicious documents were opened.

The Netherlands was not the only country targeted in this particular operation. Research by ESET shows that this was part of a broader effort to steal valuable information from defense companies in France, Italy, Germany, Poland, Ukraine, Turkey, Qatar and Brazil. Lazarus has repeatedly targeted the defense sector over the years, likely driven by North Korea’s enduring obsession with military supremacy. The regime continues to utilize the Songun (military-first) policy framework enacted by Kim Jong Il in 1995, which prioritizes the Korean People’s Army (KPA) as the central institution of North Korean society. Under Songun, the military is given the highest priority in resource allocation and national affairs, as it is seen as the primary force for safeguarding the regime. Over the past 15 years, the North Korea has become increasingly dependent on APTs like Lazarus to support its military ambitions.

In recent years, the Lazarus Group has become the focus of international legal action. In September 2018, the US Department of Justice charged suspected Lazarus Group member Park Jin Hyok for his involvement in the WannaCry ransomware attacks, the Sony Pictures breach, and other cybercrimes. According to the affidavit, Park was charged with conspiring to gain unauthorized access to computers, obtaining information with intent to defraud, causing damage, extortion related to computer intrusion, and wire fraud. In February 2021, a US federal indictment expanded on these charges, implicating two additional members - Jon Chang-Hyok, Kim Il - in a criminal conspiracy to conduct destructive cyberattacks, steal and extort over $1.3 billion from financial institutions and companies, create and deploy malicious cryptocurrency applications, and fraudulently market a blockchain platform.

Individuals affiliated with the Lazarus group have also come under scrutiny. In 2021, Canadian-American citizen Ghaleb Alaumary pled guilty to aiding the Lazarus Group in laundering money obtained through ATM cash-out operations. In 2022, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned the virtual currency mixer Blender.io for aiding the Lazarus Group in laundering stolen virtual currency. This followed the group’s largest virtual currency heist to date, worth nearly $620 million, from a blockchain project linked to the online game Axie Infinity. Blender.io is believed to have processed more than $20.5 million of the illicit proceeds. In the same year, the US sanctioned cryptocurrency mixer Tornado Cash for allowing the proceeds of cybercrime to be laundered on its platform, including nearly half a billion dollars stolen by Lazarus.

The same year, US cryptocurrency researcher Virgil Griffith was sentenced to more than five years in prison for conspiring to help North Korea evade US sanctions using cryptocurrency. Griffith, who formerly worked for the Ethereum Foundation, traveled to North Korea in 2019 to speak at the Pyongyang Blockchain and Cryptocurrency Conference, despite being denied permission by the US Department of State to do so. US prosecutors said Griffith was aware the information he provided could be used to circumvent sanctions imposed on North Korea due to its nuclear weapons development. While speaking at the conference, Griffith stated: “The most important feature of blockchains is that they are open. And the DPRK [Democratic People's Republic of Korea] can't be kept out no matter what the USA or the UN says.” This assessment, unfortunately, turned out to be correct. In the years that followed, Lazarus shifted focus from financial institutions to cryptocurrency platforms, stealing an estimated $3 billion over the course of 58 attacks. UN sanction monitors believe these proceeds were used to further develop North Korea’s nuclear weapons program.

Threat Actor ProfileLazarus

Request a free membership to access our full research insights

Origins, Motivations & Targets

Group structure

SWOT analysis

Strengths

Weaknesses

Opportunities

Threats

More detailed information about this actor?

Lazarus in the Netherlands

Trends

Learn more about our threat research?