Lazarus: Modus operandi and countermeasures

After more than a year of investigation, our experts have a thorough understanding of the Lazarus campaign and advice for protection.

In early 2016, all prominent news outlets (not only those that normally cover IT topics) reported on an $81 million heist, part of an attempted theft of about $951 million, from the Central Bank of Bangladesh. Kaspersky Lab, together with other cybersecurity organizations, actively participated in the investigation of the incident, which was the product of a cybercrime group dubbed Lazarus.

Now, after more than a year of investigation, our experts have a thorough understanding of the tools the cybercriminals were using, as well as their modus operandi. The list of the group’s targets included financial organizations, casinos, and even software developers working for investment firms.

The attackers are still at large, so if you work in one of the aforementioned industries, you might consider running a very thorough check of your system. To do that, you need to understand how the group operates.

Modus operandi

Phase 1

Infiltrate victim systems through one of the organization’s computers. Usually, the attackers remotely exploit a code vulnerability or lure an employee into visiting a malicious website. Once their foot is in the door, they infect the computer with malware.

Phase 2

Spread the infection. Using their extensive toolset (we have identified more than 150 malicious programs used by the group), the attackers move laterally inside the target company’s network, infecting other machines with backdoors.

Phase 3

Collect infrastructure information. The attackers seek ways to collect user credentials for financial software. To get this information, they may search through backup servers, domain controllers, mail servers, and so forth.

Phase 4

Customize the malware to bypass security mechanisms in financial software and execute unsolicited transactions from the victim’s account. All that remains is to do is withdraw the cash, but it’s just a technicality.

Lessons for businesses

Regardless of the attackers’ proficiency, a comprehensive security strategy can prevent this sort of theft:

  • Ensure the IT infrastructure powering financial software is reliably protected by solutions capable of detecting targeted attacks;
  • Maintain a high level of cybersecurity awareness among your employees by keeping them informed about the threat landscape and intrusion prevention systems;
  • Run regular security audits, ensuring timely detection of vulnerabilities and indictors of compromise (IoCs);
  • Protect backup servers, which may store login names, passwords, and even authentication tokens;
  • Ensure you use appropriate software settings in programs used for financial transactions, and follow the recommendations of professionals and software developers;
  • If you notice IoCs in your IT infrastructure, ask for professional services from security experts who can fully investigate the incidents.

Our experience proves that even if attackers have already compromised your infrastructure, it’s never too late to stop them and prevent further financial losses and reputational damage.

A full analysis of the attack and IoCs can be found on our Securelist blog.