
North Korean Hackers on the Rise: Safeguarding Corporate Data Security Is Urgent
TechFlow Selected TechFlow Selected

North Korean Hackers on the Rise: Safeguarding Corporate Data Security Is Urgent
How to defend against security attacks from North Korean hackers?
By MetaTrust Labs
On January 1, 2024, a cyberattack targeting Orbit Chain drew global attention from the cryptocurrency community. Reports indicate that hackers exploited vulnerabilities in Orbit Chain to steal $81.5 million worth of cryptocurrency and transfer it to other addresses. Orbit Chain has confirmed the incident and stated it is cooperating with international law enforcement agencies to trace the attackers' identities and motives. Some security experts believe the tactics and targets of this attack resemble those of the North Korean hacking group Lazarus, potentially marking another instance of their cybercriminal activity.
Who exactly is the Lazarus organization, and why does its activity raise such high concerns internationally? How does this group exploit cryptocurrencies to circumvent international sanctions and anti-money laundering measures?
The North Korea-Based Lazarus Hacker Group
Lazarus is a well-known hacker group backed by the North Korean government and has been active for over a decade since 2009. The group is notorious for targeting organizations worldwide, with past operations including attacks on financial institutions, media outlets, and government agencies. The Lazarus Group is controlled by Bureau 121 under North Korea’s Reconnaissance General Bureau. It is particularly known for attacking banks and cryptocurrency exchanges to obtain economic benefits through theft of funds and data. The group treats programmers with high-level privileges and encourages individuals with computer talents to join the official ranks of "hackers."
Pyongyang University of Automation serves as one of the key sources for Lazarus hackers. The group has shifted its focus from political attacks to economic ones, concentrating increasingly on the cryptocurrency sector. Its activities include targeting security researchers, embedding malicious code into open-source cryptocurrency platforms, conducting large-scale cryptocurrency heists, and spreading malware via fake job interviews. Funds obtained illegally by these hacking groups go through typical money laundering processes used by traditional cybercrime syndicates. Stolen cryptocurrencies are often converted into fiat currency to evade anti-money laundering (AML) controls.
South Korea, the United States, and Japan have remained highly vigilant against North Korean hacking operations. Reports suggest that in recent years, North Korean hacking groups have successfully stolen approximately $3 billion in cryptocurrency assets, which were used to support North Korea's nuclear and ballistic missile programs. Security advisors from the U.S., South Korea, and Japan met in Seoul to discuss strategies for addressing North Korea’s cyber threats and announced a new trilateral cooperation initiative focused on combating North Korean cybercrime and cryptocurrency money laundering. This meeting took place amid escalating tensions on the Korean Peninsula, as North Korea accelerated the expansion of its nuclear and missile programs and publicly declared its willingness to use nuclear weapons preemptively.
The Lazarus hacker group employs diverse attack methods and targets, ranging from SWIFT network attacks on financial institutions to broader cryptocurrency robberies, demonstrating both advanced technical capabilities and significant threat levels. However, defensive measures against these attacks remain relatively limited. Since 2018, North Korean hackers have stolen about $2 billion in virtual currencies. In 2023 alone, they stole around $200 million in cryptocurrency—accounting for 20% of all crypto thefts that year. These hackers pose an ongoing threat to the virtual currency ecosystem, with their cyberattack techniques continuously evolving and becoming more sophisticated.
The scale of North Korean hacking operations exceeds that of other malicious actors by tenfold, and they also target decentralized finance (DeFi) ecosystems. They employ various cyberattack methods, including phishing, supply chain attacks, and other forms of hacking. Therefore, both enterprises and individual users need to strengthen cybersecurity measures, regularly update software, enhance password policies, and increase awareness of cybersecurity. At the same time, regulators must intensify oversight and establish stricter laws and regulations to curb such cybercriminal behavior.
Case Study One: Lazarus Exploits Log4Shell Vulnerability in Blacksmith Campaign
Attack Process and Methods:
1. Exploitation of Log4Shell Vulnerability: Lazarus first exploited the Log4Shell vulnerability—a remote code execution flaw discovered in the Log4j logging library. Although this vulnerability was identified and patched two years ago, many systems may still run unpatched versions, providing Lazarus with an entry point.
2. Deployment of Proxy Tools: Once initial access was gained, Lazarus set up a proxy tool enabling persistent access to compromised servers. This tool allowed them to execute reconnaissance commands, create new administrator accounts, and deploy additional credential-stealing tools.
3. NineRAT Deployment: In the second stage, Lazarus deployed the NineRAT malware on the system. NineRAT is a remote access trojan capable of collecting system information, upgrading itself, halting execution, self-uninstalling, and uploading files from infected computers. It also includes a dropper responsible for establishing persistence and launching the main binary.
4. Use of DLRAT and BottomLoader: Lazarus also employed DLRAT and BottomLoader. DLRAT is a Trojan downloader that enables Lazarus to introduce additional payloads onto infected systems. BottomLoader is a malware downloader that retrieves and executes payloads from hardcoded URLs.
5. Credential Theft and Persistence: Using tools like ProcDump and Mimikatz for credential dumping to gather more system information. Additionally, persistence was achieved by creating URL files in the system’s startup directory, allowing new versions or deletion of payloads.
References: https://www.csoonline.com/article/1259949/lazarus-apt-attack-campaign-shows-log4shell-exploitation-remains-popular.html https://nvd.nist.gov/vuln/detail/cve-2021-44228
Case Study Two: Lazarus Hacker Group Conducts Supply Chain Attack via MagicLine4NX Software
Attack Process:
1. Watering Hole Attack: The Lazarus hacker group infiltrated websites frequently visited by specific users and embedded malicious scripts. When users running the MagicLine4NX authentication software accessed these sites, the embedded code executed, giving hackers full control over the system.
2. Propagation of Malicious Code via System Vulnerabilities: Hackers exploited zero-day vulnerabilities within the MagicLine4NX software, allowing connected PCs to reach their internet servers. Then, using the data synchronization feature, they spread the malicious code to business-side servers.
3. Attempted Data Exfiltration: The malware attempted to connect to two C2 servers—one located inside the internal network gateway and another outside the internet perimeter. If successful, vast amounts of internal network data could be leaked.
Technical Methods:
1. Zero-Day Exploitation: Hackers leveraged previously unknown zero-day vulnerabilities in the MagicLine4NX software, enabling unauthorized access to target systems before patches were available.
2. Supply Chain Attack: By exploiting weaknesses in the supply chain, hackers bypassed normal security defenses and directly attacked target systems.
3. Data Synchronization and C2 Server Connection: Hackers used the data synchronization function to propagate malicious code to business servers and attempted to establish connections with external C2 servers for further control and data exfiltration.
References: https://www.zerofox.com/advisories/22471/ https://nvd.nist.gov/vuln/detail/CVE-2023-45797
Case Study Three: Attacks Targeting Cryptocurrencies
Targets: Cryptocurrency exchanges, wallets, decentralized finance (DeFi) ecosystems
Timeline: Ongoing since 2018, especially prominent in 2023
Attack Processes and Technical Methods:
1. Exploiting Leaked Private Keys and Vulnerabilities: North Korean hackers infiltrate targets through phishing and supply chain attacks involving leaked private keys or seed phrases.
2. Cross-Chain Bridge Attacks: They specifically target cross-chain bridges such as the Axie Infinity Ronin Bridge to steal large volumes of virtual currency.
Multi-Stage Money Laundering Process: In previous incidents, North Korean hackers have used complex “multi-stage money laundering” procedures to obscure the origin and destination of illicit funds. They convert stolen cryptocurrencies into different tokens, then repeatedly mix and exchange them via automated programs, mixers, and cross-chain swaps to complicate tracking efforts.
3. Use of Decentralized Exchanges: They convert stolen cryptocurrencies into Ether via decentralized exchanges, followed by multiple rounds of mixing and swapping.
Based on the above cases, attackers can steal sensitive data—including confidential business information, customer data, and personally identifiable information—leading to privacy breaches and potential legal consequences. With complete control over targeted systems, hackers may gain access to vast amounts of sensitive information, such as corporate internal data and client records. Lazarus’ hacking campaigns not only result in data leaks and system damage but may also severely disrupt victims’ business operations.
These attacks typically involve sophisticated supply chain compromises, making prevention and detection significantly more challenging. Financial losses may occur due to costs associated with malware removal, data recovery, and system repairs, along with revenue loss caused by operational disruptions. Hacking incidents lead to massive thefts of virtual currencies, causing direct financial harm to victims while potentially exposing their personal information and transaction history. Attacks on cross-chain bridges could paralyze entire systems, disrupting normal transaction processing.
Recommended Countermeasures Against Such Security Threats
1. Promptly Patch Vulnerabilities: Ensure timely application of security patches to fix known vulnerabilities. For software and components used in the supply chain, MetaScan’s automated auditing functionality can help identify and remediate potential vulnerabilities promptly.
2. Strengthen Supply Chain Security: Establish secure partnerships with supply chain vendors and conduct rigorous review and validation of software and components to ensure every link in the supply chain remains protected from hacker intrusions. MetaScout’s monitoring capabilities can dynamically update blacklists to block attacks originating from suspected North Korean hacker addresses.
3. Security Awareness Training: Enhance employee training on cybersecurity. Educate staff about watering hole attacks, malicious scripts, and the importance of supply chain security to reduce human-related risks. Scantist’s DevSecOps solution offers organizations comprehensive security training and guidance.
4. Network Traffic Monitoring: Implement network traffic monitoring and intrusion detection/prevention systems (IDS/IPS) to detect anomalous activities and attack behaviors early. MetaScout’s attack blocking mechanism can integrate with network monitoring to identify and stop hacker transactions in real time.
5. Multi-Layer Defense: Adopt multi-layered defense strategies, including firewalls, intrusion detection systems, and antivirus software, to improve overall system security. MetaScan’s Prover feature can work alongside existing security tools to build a more comprehensive defense framework.
6. Continuous Monitoring and Response: Establish robust monitoring and incident response mechanisms. Through real-time monitoring of network and system activities, organizations can quickly detect suspicious behavior and respond appropriately to minimize damage. Scantist’s component analysis capability continuously monitors vulnerabilities in the software supply chain and intercepts problematic open-source and third-party components promptly.
7. Enhance Security Measures for Cryptocurrency Exchanges and Wallets: Cryptocurrency exchanges and wallet providers should strengthen security practices such as using strong passwords, regularly rotating private keys, and implementing multi-tiered security protocols. MetaScout’s blocking mechanism provides exchanges with dynamic blacklist-based protection to safeguard users’ digital assets.
8. Regular Audits and Inspections: Organizations should conduct regular security audits and inspections to ensure no latent vulnerabilities exist. MetaScan’s automated audit function helps organizations perform thorough security assessments and identify potential risks proactively.
9. Raise Public Awareness: Educate the public about the importance of cybersecurity and how to protect their digital assets. Organizations can use public campaigns and social media channels to raise awareness and provide relevant safety advice and guidance.
It should be noted that security threats and mitigation recommendations should be evaluated and customized based on actual circumstances and the latest threat intelligence. Additionally, effective measures such as regular data backup and recovery, use of strong passwords and multi-factor authentication, and restriction of privileged access also contribute significantly to enhancing security.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News










