North Korea Lazarus Group Launching Global Phishing Campaign

Posting ID 125168
Date Added: 06/20/2020 12:45 PM EDT
Date Modified: 06/20/2020 6:01 PM EDT
E-ISAC Staff

Description

Summary:                                                                    

North Korea-associated Lazarus Group could begin a global phishing campaign as early as June 20th.

Impact Statement/Analysis:

Security Firm Cyfirma released analysis showing the Lazarus Group (associated with Dragos’ COVELLITE) may launch a phishing campaign globally starting as early as June 20th. The attack is expected to focus on countries which provided stimulus funding to combat COVID-19 caused economic damage. While not explicitly named, NERC entities and employees could be among those targeted and are at moderate risk.

The hackers are likely to impersonate government agencies tasked with disbursing financial aid and target persons/businesses likely to be in need of financial assistance. Cyfirma has identified several email addresses created by the threat actors meant to mimic legitimate email addresses of government agencies. Lazarus Group claims to have 1.4 million curated email IDs for the US alone with a plan to send a spoofed email luring targets with fake direct payment offers to incite them to provide personal data. 

This is consistent with previous Lazarus Group activities, which have shown the capability to accomplish phishing campaigns as well as an interest in stealing funds. Lazarus Group is responsible for the 2014 cyber attack on Sony Pictures and various Bitcoin heists. Aside from disrupting adversaries, using intelligence and cyber activities to procure funds has been a longstanding staple of North Korean government policy to circumvent international sanctions, to the extent that a separate intelligence agency (known as Office 39) has been operating for decades with that specific mission. 

Comments:

The E-ISAC will continue to monitor this situation and provide relevant updates when necessary.  If you have any questions or comments, please reach out to us at operations@eisac.com or at 202-790-6000.

References:

Cyfirma. June 18, 2020. Global COVID-19-Related Phishing Campaign by North Korean Operatives Lazarus Group Exposed by Cyfirma Researchers https://www.cyfirma.com/early-warning/global-covid-19-related-phishing-campaign-by-north-korean-operatives-lazarus-group-exposed-by-cyfirma-researchers/

Eileen Yu. ZDNet. June 19, 2020. North Korean state hackers reportedly planning COVID-19 phishing campaign targeting 5M across six nations https://www.zdnet.com/article/north-korean-state-hackers-reportedly-planning-covid-19-phishing-campaign-targeting-5m-across-six-nations/

Dragos, Inc. Covellite https://www.dragos.com/resource/covellite/

MITRE Partnership Network. Group: Lazarus group, COVELLITE https://collaborate.mitre.org/attackics/index.php/Group/G0008

John Walcott. Time. April 29, 2020. Cash, Yachts, and Cognac: Kim Yo-Jong’s Links to the Secretive Office Keeping North Korea’s Elites in Luxury https://time.com/5829508/kim-yo-jong-money-office-39/

Matthew Carney. ABC News. January 05, 2018. Defector reveals secrets of North Korea’s Office 39, raising cash for Kim Jong-un https://www.abc.net.au/news/2018-01-06/north-korea-defector-reveals-secrets-of-office-39/9302308

Category Type:
Cyber Security
TLP - White
Shared Count (15)
  • Canadian CERTs
  • CRISP - Cyber Risk Info Sharing Program
  • DHS - NICC, NCCIC, US-CERT, etc
  • DNG-ISAC
  • DOE Complex
  • E-ISAC AOO Members
  • E-ISAC Staff
  • FBI, LE Fusion
  • FERC - OEIS, etc
  • FS-ISAC
  • International (other ISACs, CERTs)
  • MS-ISAC
  • Other (inc. local/state commissions)
  • Trade Organizations
  • Watch Floor
Change History
  • Admin, 06/20/2020
  • Admin, 06/20/2020
  • E-ISAC Staff, 06/20/2020
  • E-ISAC Staff, 06/20/2020