They stole Lazarus, the group of cybercriminals that infected computers around the world with the WannaCry virus in 2017, and stole about 585 million euros in cryptocurrency. This is the biggest digital scam in history. But who are Lazarus?
At the end of March, the criminal group Lazarus, working for the North Korean regime, carried out what is already considered the largest known cyber theft. There were about 585 million euros worth of cryptocurrency from Ethereum (the second most used currency after Bitcoin), from a website related to the video game Axie Infinity, which the group was able to extort.
The coup link with the North Korean group came from the United States (United States). Blockchain consultancy Chainalysis also estimates that North Korean hackers may have acquired $400 million in digital assets last year through various attacks targeting cryptocurrency platforms.
Government “sponsorship” of hacker teams is common in some countries, such as China, Iran or the United States, that use hackers to carry out sabotage or obtain valuable information. But the case of North Korea is different. The leader uses hackers to earn money in order to survive the harsh international sanctions that the country is subject to.
Who are Lazarus?
Lazarus are cybercriminals, but they are not just digital thieves. In 2017, WannaCry, the largest ransomware program in history, was launched, and the United States and the United Kingdom, as well as Microsoft, credit the creation of this malware to a North Korean group. This virus encrypts files and demands payment to decrypt them. It is estimated that WannaCry affected around 300,000 computers in 150 countries, including the UK’s National Health Service, which ended up crippling.
A year ago, in 2016, the Lazarus Group attempted to steal $1 billion from the Central Bank of Bangladesh. The scheme consists of impersonating bank employees and obtaining licenses to handle funds. The attack turned out to be unsuccessful due to a coding error. However, they managed to get 81 million dollars. The FBI described it as the largest cyber attack in history.
There are also suspicions that about $530 million worth of tokens (digital financial assets) were stolen in 2018 from Japanese crypto exchange portal Coincheck.
But Lazarus also carried out acts of sabotage. North Korean hackers were particularly active during 2020, when major pharmaceutical companies were frantically working on developing a vaccine against Covid-19. They tried to break into the computers of AstraZeneca workers, who were in the process of developing a vaccine, and later tried to steal information from Pfizer.
Since North Korea is one of the few countries in the world where the spread of the epidemic has been prevented (until a few weeks ago), the country’s intentions may be related to sabotaging the operation of pharmaceutical companies or selling industrial secrets.
One of the most notorious Lazarus scams with no economic purpose occurred in 2014 and was the first warning that North Koreans are not digital hobbyists. The target was Sony Entertainment, the producer of The Interview, a comedy about two people hired to assassinate Kim Jong-un.
A month before the scheduled release date, a group of hackers infected the computers of Sony workers. They were able to erase confidential company data, publish salary details, and expose hacked emails from some managers. They also threatened to attack cinemas where the film was shown, prompting major distributors to remove it from the label.
They steal money for the system
All the money that Lazarus stole has the same purpose: to go to Kim Jong Un’s regime. Unlike other Advanced Persistent Threats (APT), the term by which organized groups of hackers with greater capabilities are known, Lazarus operates with the primary objective of financially favoring the North Korean regime.
In general, APTs – the government-run and sponsored teams, which sit at the very top of the hacker hierarchy – are very well organized and hierarchical, with departments and professionals precisely defined, and economic resources that allow them to develop complex, coordinated and rapid attacks. Theoretically, only the secret services of the great powers (the United States, Russia or the United Kingdom) have more power than the APT.
Due to the nature of the Internet, where it is easy to go unnoticed, it is very difficult to attribute cyber attacks. “APTs are primarily tracked with evidence provided by intelligence services and code characteristics, but a good forensic analysis that determines authorship can take months,” explains Deepak Daswani, a cybersecurity analyst and hacker, quoted by El País. That’s why governments use APT to sabotage, espionage, or carry out intelligence operations without provoking diplomatic incidents.
In the case of the Lazarus group, the purposes of launching the ransomware are to raise funds to support a regime that, due to international sanctions, needs to resort to other means to achieve its goals.