N Korea, Cyberattacks and ‘Lazarus’: What We Really Know

North Korean flag flutters behind razor wire on top of a wall at the North Korean Embassy, March 13 in Kuala Lumpur, Malaysia. Photo: Vincent Thian / Associated Press

TOKYO — With the dust now settling after “WannaCry,” the biggest ransomware attack in history, cybersecurity experts are taking a deep dive into how it was carried out, what can be done to protect computers from future breaches and, trickiest of all, who is to blame.

Beyond the frequently used shorthand that North Korea was likely behind the attack lies a more complicated story of the rise of an infamous group of hackers known as “Lazarus,” who may be using secret lairs in northeast China and have created a virtual “malware factory” that could wreak a lot more havoc in the future.

Who are they?

On Dec. 19, 2014, just one month after a devastating hack hobbled Sony Pictures Entertainment, the FBI’s field office in San Diego issued a press release stating North Korea was the culprit and saying such cyberattacks pose “one of the gravest national security dangers” to the United States.


Its claim North Korea was to blame has been disputed.

An industry consortium led by Novetta launched “Operation Blockbuster” and in 2016 released a detailed public report on the attack that lined up with the FBI’s conclusion that the tactics, tools and capabilities strongly indicated the work of a “structured, resourced and motivated organization,” but said its analysis could not support the direct attribution of a nation-state.

It determined the attack “was carried out by a single group, or potentially very closely linked groups, sharing technical resources, infrastructure and even tasking.”

It named the group Lazarus and tied it to a string of attacks dating back to 2007 or 2009.

Researchers at cybersecurity giant Kaspersky Labs, which also participated in Operation Blockbuster, surmised the Lazarus attackers are probably located in a time zone eight or nine hours ahead of Greenwich Mean Time – which would include China, Malaysia and parts of Indonesia, among other places – because they seem to start working at around midnight GMT and break for lunch three hours later.

They even claimed the hackers get roughly 6-7 hours of sleep per night.

It also said it found indications of the Korean language on a majority of the computers being used.

James Scott, a senior fellow at the Institute for Critical Infrastructure Technology, a Washington-based think tank, said the group is believed to outsource the development of malware to “numerous external threat actors.”

But he said any connections between Lazarus and North Korea remain unclear.

Jon Condra, director of Asia Pacific research at the cybersecurity firm Flashpoint, cautiously noted the theory at least some Lazarus Group hackers are working out of China and that they may include North Koreans.

“It is widely believed that at least some North Korean hacking units operate out of Northeastern China, the city of Shenyang, in particular, but hard evidence is scant,” he said. “It is entirely possible that the Lazarus Group is not entirely made up of North Korean actors, but may also have Chinese members.”

Kaspersky took another look into Lazarus following the attempted heist of $900 million from the central bank of Bangladesh in February last year. It found Lazarus is both accelerating its activities and morphing rapidly.

According to Kaspersky, the Lazarus Group now has its own cybercrime subgroup, dubbed BlueNoroff, to help finance its operations through attacks on banks, casinos, financial institutions and traders.

The disruptive and “asymmetric” nature of cyber warfare clearly makes it a weapon North Korea can be assumed to want to exploit against its much more powerful adversaries in a military conflict.

Cybercrime would also seem to be extremely attractive to North Korea. It’s hard to trace, can be done on the cheap and, for those who can master the technological expertise, the opportunities seem to be everywhere. It’s a less risky means of procuring illicit income than other activities North Korea has been accused of in the past, such as drug trafficking and counterfeiting U.S. USD $100 bills.

The U.S. government has not blamed WannaCry on North Korea – reflecting the fact that determining the role of a nation-state can be a Sisyphean task.


Some campaigns attributed to the Lazarus Group suggest a lower-skilled adversary than one might expect from one with full state backing – a factor Beau Woods, the deputy director of the Cyber Statecraft Initiative at the Atlantic Council, says is indicative of “a blurred line” between state and non-state actors.

“Many countries allow – or at least tolerate – non-state actors that are doing things that are ideologically aligned,” he said. “With North Korea, it appears to be the case that they rely very heavily on this kind of criminal element-amateurs-professionals. It’s a predominance of question marks.”

Story: Eric Talmadge