Open main menu

Wikipedia β

Lazarus Group is a cybercrime group made up of an unknown number of individuals. While not much is known about the Lazarus Group, researchers have attributed many cyber attacks to them over the last decade.



The earliest known attack that the group is responsible for is known as "Operation Troy", which took place from 2009–2012. This was a cyber-espionage campaign that utilized unsophisticated distributed denial-of-service attack (DDoS) techniques to target the South Korean government in Seoul. They are also responsible for attacks in 2011 and 2013. It is possible that they were also behind a 2007 attack targeting South Korea, but that is still uncertain.[1] A notable attack that the group is known for is the 2014 attack on Sony Pictures. The Sony attack used more sophisticated techniques and highlighted how advanced the group has become over time. The Lazarus group were reported to have stolen $12 million from the Banco del Austro in Ecuador and US$1 million from Vietnam's Tien Phong Bank in 2015.[2] They have also targeted banks in Poland and Mexico.[3] The 2016 bank heist[4] included an attack on the Bangladesh Bank, successfully stealing US$81 million and was attributed to the group. In 2017 the Lazarus group was reported to have stolen US$60 million from the Far East International Bank of Taiwan although the actual amount stolen was unclear and most of the funds were recovered.[3]

It is not clear who is really behind the group, but media reports have suggested the group has links to North Korea.[5] [6][3] Kaspersky Lab reported in 2017 that Lazarus tended to concentrate on spying and infiltration cyber attacks whereas a sub-group within their organisation, which Kaspersky called Bluenoroff, specialised in financial cyber attacks. Kaspersky found multiple attacks worldwide and a direct link (IP address) between Bluenoroff and North Korea.[7]

However, Kaspersky also acknowledged that the repetition of the code could be a “false flag” meant to mislead investigators and pin the attack on North Korea, given that the worldwide WannaCry worm cyber attack copied techniques from the NSA as well. This ransomware leverages an NSA exploit known as EternalBlue that a hacker group known as Shadow Brokers made public in April 2017. [8] Symantec reported in 2017 that it was "highly likely" that Lazarus was behind the WannaCry attack.[9]

The WannaCry Malware that affected as many as 300,000 computers worldwide are likely authored by hackers from southern China, Hong Kong, Taiwan or Singapore, said a US intelligence company.[10] The President of Microsoft attributed the WannaCry attack to North Korea.[11]

Operation BlockbusterEdit

Under the name "Operation Blockbuster", a coalition of security companies, led by Novetta,[12][13] was able to analyze malware samples found in different cyber-security incidents. Using that data, the team was able to analyze the methods used by the hackers. They linked the Lazarus Group to a number of attacks through a pattern of code re-usage.[14]

Operation FlameEdit

The earliest possible attack that can be attributed to the Lazarus Group took place in 2007. This attack was named "Operation Flame" and utilized first generation malware against the South Korean government. According to some researchers, the activity present in this attack can be linked to later attacks such as "Operation 1Mission," Operation Troy," and the DarkSeoul attacks in 2013. The next incident took place on July 4, 2009 and sparked the beginning of "Operation Troy." This attack utilized the Mydoom and Dozer malware to launch a large-scale, but quite unsophisticated, DDoS attack against US and South Korean websites. The volley of attacks struck about three dozen websites and placed the text "Memory of Independence Day" in the master boot record (MBR).

Ten Days of RainEdit

Over time, attacks from this group have grown more sophisticated; their techniques and tools have become better developed and more effective. The March 2011 attack known as "Ten Days of Rain" targeted South Korean media, financial, and critical infrastructure, and consisted of more sophisticated DDoS attacks that originated from compromised computers within South Korea. The attacks continued on March 20, 2013 with DarkSeoul, a wiper attack that targeted three South Korean broadcast companies, financial institutes, and an ISP. At the time, two other groups, NewRomanic Cyber Army Team and WhoIs Team, took credit for that attack but researchers now know that the Lazarus Group was behind it.[15]

Sony breachEdit

The Lazarus Group attacks culminated on November 24, 2014. On that day, a Reddit post appeared stating that Sony Pictures had been hacked. No one knew it at the time, but this was the start to one of the biggest corporate breaches in recent history. At the time of the attack, the group identified themselves as the Guardians of Peace (GOP) and they were able to hack their way into the Sony network, leaving it crippled for days. The group claims that they were in the Sony network for a year before they were discovered, and it is certainly possible that that is true.[16] The attack was so intrusive that the hackers were able to get access to valuable insider information including previously unreleased films and the personal information of approximately 4,000 past and present employees. The group was also able to access internal emails and reveal some very speculative practices going on at Sony.[17]


  1. ^ "Security researchers say mysterious 'Lazarus Group' hacked Sony in 2014". The Daily Dot. Retrieved 2016-02-29. 
  2. ^ "SWIFT attackers' malware linked to more financial attacks". Symantec. 2016-05-26. Retrieved 2017-10-19. 
  3. ^ a b c Ashok, India (2017-10-17). "Lazarus: North Korean hackers suspected to have stolen millions in Taiwan bank cyberheist". International Business Times UK. Retrieved 2017-10-19. 
  4. ^ "Two bytes to $951m". Retrieved 2017-05-15. 
  5. ^ "Cyber attacks linked to North Korea, security experts claim". The Telegraph. 2017-05-16. Retrieved 2017-05-16. 
  6. ^ Solon, Olivia (2017-05-15). "WannaCry ransomware has links to North Korea, cybersecurity experts say". The Guardian. ISSN 0261-3077. Retrieved 2017-05-16. 
  7. ^ GReAT - Kaspersky Lab's Global Research & Analysis Team (2017-03-03). "Lazarus Under The Hood". Securelist. Retrieved 2017-05-16. 
  8. ^ The WannaCry Ransomware Has a Link to Suspected North Korean Hackers (2017-03-03). "The Wired". Securelist. Retrieved 2017-05-16. 
  9. ^ "More evidence for WannaCry 'link' to North Korean hackers". BBC News. 2017-05-23. Retrieved 2017-05-23. 
  10. ^ Linguistic analysis shows WannaCry ransom notes written by southern Chinese, says US intelligence firm (2017-05-15). "The Straits times". Securelist. Retrieved 2017-05-16. 
  11. ^ Harley, Nicola (2017-10-14). "North Korea behind WannaCry attack which crippled the NHS after stealing US cyber weapons, Microsoft chief claims". The Telegraph. ISSN 0307-1235. Retrieved 2017-10-14. 
  12. ^ Van Buskirk, Peter (2016-03-01). "Five Reasons Why Operation Blockbuster Matters". Novetta. Retrieved 2017-05-16. 
  13. ^ "Novetta Exposes Depth of Sony Pictures Attack — Novetta". 24 February 2016. 
  14. ^ "Kaspersky Lab helps to disrupt the activity of the Lazarus Group responsible for multiple devastating cyber-attacks | Kaspersky Lab". Retrieved 2016-02-29. 
  15. ^ "The Sony Hackers Were Causing Mayhem Years Before They Hit the Company". WIRED. Retrieved 2016-03-01. 
  16. ^ "Sony Got Hacked Hard: What We Know and Don't Know So Far". WIRED. Retrieved 2016-03-01. 
  17. ^ "A Breakdown and Analysis of the December, 2014 Sony Hack". Retrieved 2016-03-01. 


  • Virus News (2016). "Kaspersky Lab Helps to Disrupt the Activity of the Lazarus Group Responsible for Multiple Devastating Cyber-Attacks", Kaspersky Lab.
  • RBS (2014). "A Breakdown and Analysis of the December, 2014 Sony Hack". RiskBased Security.
  • Cameron, Dell (2016). "Security Researchers Say Mysterious 'Lazarus Group' Hacked Sony in 2014", The Daily Dot.
  • Zetter, Kim (2014). "Sony Got Hacked Hard: What We Know and Don't Know So Far", Wired.
  • Zetter, Kim (2016). "Sony Hackers Were Causing Mayhem Years Before They Hit The Company", Wired.