North Korean state-sponsored cybercriminals have been time and again accused of buying access to pre-hacked servers from other threat actors. However, lately, connections have emerged between the North Korea-based Lazarus APT group and some of the prominent Russian-speaking cybercriminal groups.
The breakthrough
TrickBot, Dridex, and TA505 are threat groups linked to various Russian-speaking threat actors who sell access to victims’ systems on the dark web. Lazarus has been found to be infrequently using TrickBot’s codes in its attacks.
Establishing the connection
TrickBot is a privately-run Malware-as-a-Service (Maas) offering, which can be accessed by only top-tier threat actors.
TA505 is a cybercriminal group that has purchased a huge number of tools from the underground.
According to a report by LEXFO, past Lazarus infections have been spotted to coexist with TrickBot and Emotet.
TA505 and Lazarus IOCs were found together in bank networks. Moreover, the PS post-intrusion scripts appertaining to Lazarus and TA505 have been discovered to be similar.
According to a CISA alert, North Korea-based hackers may “be working with or contracting out to criminal hacking groups, like TA505, for initial access development.”
What they are saying
Based on the different incidents, experts assess that there is a connection between Lazarus and Russian-speaking cybercriminals.
TrickBot appears to possess a treasure trove of compromised accesses that Lazarus can definitely leverage.
However, not enough information is available to decide if all TrickBot infections could point to Lazarus or only a subset of them.
The bottom line
It is very likely that threat actors with access to TrickBot infections are in touch with North Korean state-sponsored hackers. Knowing that there is a link between different threat actors provides defenders an opportunity to identify a potential second problem when the first one occurs.