Is Lazarus Related to Russian-Speaking Threat Actors?

North Korean state-sponsored cybercriminals have been time and again accused of buying access to pre-hacked servers from other threat actors. However, lately, connections have emerged between the North Korea-based Lazarus APT group and some of the prominent Russian-speaking cybercriminal groups.

The breakthrough

TrickBot, Dridex, and TA505 are threat groups linked to various Russian-speaking threat actors who sell access to victims’ systems on the dark web. Lazarus has been found to be infrequently using TrickBot’s codes in its attacks.

Establishing the connection

  • TrickBot is a privately-run Malware-as-a-Service (Maas) offering, which can be accessed by only top-tier threat actors.
  • TA505 is a cybercriminal group that has purchased a huge number of tools from the underground.
  • According to a report by LEXFO, past Lazarus infections have been spotted to coexist with TrickBot and Emotet.
  • TA505 and Lazarus IOCs were found together in bank networks. Moreover, the PS post-intrusion scripts appertaining to Lazarus and TA505 have been discovered to be similar.
  • According to a CISA alert, North Korea-based hackers may “be working with or contracting out to criminal hacking groups, like TA505, for initial access development.”

What they are saying

  • Based on the different incidents, experts assess that there is a connection between Lazarus and Russian-speaking cybercriminals.
  • TrickBot appears to possess a treasure trove of compromised accesses that Lazarus can definitely leverage.
  • However, not enough information is available to decide if all TrickBot infections could point to Lazarus or only a subset of them.

The bottom line

It is very likely that threat actors with access to TrickBot infections are in touch with North Korean state-sponsored hackers. Knowing that there is a link between different threat actors provides defenders an opportunity to identify a potential second problem when the first one occurs.