Podcast: Digital Desperados 9: Lazarus Group

Jim Brangenberg: Hey, welcome to the Digital Desperados Podcast featuring Dark Tales from the Web. Patrick McMurphy’s here today to tell us our dark tale. He’s joined by Brad Hawkins, founder and CEO of SaferNet VPN. I’m Jim Brangenberg and I’ll serve as your story guide. And of course, this podcast is brought to you by SaferNet because we really want you to check SaferNet out.

Every time you go online, your heart and soul are under attack. Secure your soul. With SaferNet VPN. Simplified cybersecurity for businesses and families. Just give yourself a chance to not have your mind be destroyed by the garbage on the internet. Check out SaferNet with its VPN, internet controls, virus protection, and so much more.

Like 84 website filters. Stay safe and productive. Get secured now. SaferNet. com. That’s SaferNet. com. All right. Patrick, which dark tale is today’s highlighted? Who are you highlighting today? Why can’t we get it out today? Just tell us who’s the bad guy.

Patrick McMurphy: Well, Jim, today I’m very excited because today it’s a little bit different. We were talking about one of the many state sponsored hacker groups. And so you might ask, you know, what is state sponsored hacking?

Jim Brangenberg: You mean like Michigan or Chicago or Illinois or New York? What state sponsored?

Patrick McMurphy: No, sir. I mean state as in a nation state. And so it really refers to cyber attacks carried out on behalf or by a national government.

And these attacks are not small fry things. These are espionage, massive disruption, influencing foreign or domestic affairs. We get into real James Bond level stuff when we get into state sponsored hacking. And today, we’re looking at the Lazarus Group. One of the most notorious state sponsored hacking groups on the planet.

They’re also known as Hidden Cobra. They call themselves the Guardians of Peace. You’ll find out soon that’s completely untrue. But they are North Korea’s state sponsored hacker. So, the best way to consider state sponsored hackers is that every country Who has any military interest has a state sponsored hacker group.

So it’s quite a few of them. There’s a lot, a lot of people, a lot of players in this game.

Jim Brangenberg: Wow. I mean, I really wish I had some James Bond music to play in the background.

Patrick McMurphy: I know we should. Yeah, like the little, you know, piano from Dr. No at the start. That’s right.

Jim Brangenberg: We’ll have to work on that next time.

Patrick McMurphy: Now, as you can imagine, there’s not a lot known about them.

We do know that, so for example, there’s a North Korean defector by the name of Kim Kuk Sung. And he tells us that within North Korea, the group are known as the 414 Liaison Office within the government, which doesn’t sound like what you would call an international hacking outfit, but, so

Brad Hawkins: Before we get started, what, what is the intent of a state sponsored hacker?

Patrick McMurphy: What is the intent of an army?

Brad Hawkins: So they’re going at their, their enemies to try to gather or

Patrick McMurphy: Exactly.

Brad Hawkins: Collect data to determine how they might be able to penetrate.

Patrick McMurphy: They attack their nation’s enemy. They’re a picture of them as a very aggressive army, but they are underground. They’re digital. I mean, it’s, it’s very easy to tell if there’s a standing army walking across your border, right?

It’s obvious. When that army is in your fiber optic cables, it’s pretty hard to tell.

Jim Brangenberg: I don’t know, we seem to have some politicians that don’t see that standing army coming across our borders, so

Patrick McMurphy: That’s a good point.

Jim Brangenberg: Yeah, but what you’re saying, that these are, these are countries that are just wanting to get at us in any and all ways.

Patrick McMurphy: Yeah, they’re, they’re effectively the military and as time goes on, these kind of groups get larger and larger because things are more and more digital, right? And so the Lazarus group, they’ve been around for over a decade. We’ve seen them go from, you know, they really didn’t, didn’t have a great idea of what they were doing at the start in terms of how sophisticated they were, but they have become incredibly dangerous and sophisticated.

So the Lazarus group initially, the hackers within them are sent to Shenyang in China. So there’s a special university in Shenyang that trains hackers in terms of creating malware, deploying malware. And if anyone’s surprised that China has a hacking university, I mean, you, you should not be surprised with this.

So following this, they’re sent back to North Korea and they’re sent to the top universities. There’s Kimche University of Technology. There’s the Kim Il Sung University, where they go through a following six years of specialized education. So we’re talking about a decade worth of university level education for these guys.

So these aren’t, these aren’t dumb individuals. These are pretty smart guys. And so, Lazarus, Lazarus first attack was called Operation Troy, and it took place from 2009 to 2012. And as you know, look, they’re North Korean. Their number one target is going to be South Korea. And so, what this attack was, it was, in retrospect, kind of basic DDoS attacks, which is Distributed Denial of Service attacks, against the South Korean government.

That’s what it was initially. However, they then went on to create something called the Dozer Malware. Which was then used to launch additional attacks against South Korean websites. But this was the time they also started experimenting with, could we also attack the U. S.? And so, during Operation Troy, there was a small amount of attacks against US websites, enough for the U. S. to notice, but not enough for them to really get worried about.

Brad Hawkins: Now, when you say US based website, are you talking about US as in government or US as in individual businesses?

Patrick McMurphy: I would say private. Yeah, kind of small price stuff, but I mean enough to kind of get out. I mean, if anyone in authority of the US sees any kind of attack coming from North Korea, whether it’s against a private

individual with a blog or a small business, you know, they’re going to make note of it.

Jim Brangenberg: Wow. 10 years of training. Wow. That’s a doctorate in, you know, cybercrime. That’s unbelievable.

So, have you had one place to monitor all the internet activity of everyone in your workplace? Protect your business and family with SaferNet, the simple cybersecurity app. Shield your online presence with a VPN, internet controls, virus protection, and 84 website filters. Stay focused on your mission at work – transforming your workplace into a safe place no matter where people are going and monitor that activity, and help people be secure. Sign up at Safernet.com, that’s safer net. com. As I use it for our organization, the console of watching where all the activity is going on all of the devices, it’s so great to be able to see it. And it’s keeping us safe. It’s keeping us protected. I just love it. Safer net. com.

Patrick McMurphy: And so, you know, over time, especially from Operation Troy, Lazarus really starts learning how to get things done. So following Troy, there’s two campaigns. One is called the 10 days of rain. And the second is called the dark soul attack. Both are just targeting South Korean broadcast companies, financial institutes, ISP. They’re all into ISP blackouts in South Korea, everything within South Korea, basically they’re fully committed to just Messing up South Korea and what a lot of people a lot of commentators look back in this time I kind of feel that Lazarus are actually just training. They were using South Korea as training dummies, basically because what they go on to do is much more global in its scope.

So the biggest the first big outside of South Korea attack was the Sony pictures hack. And so this is the motivation behind this – always cracks me up because I’ve seen the movie. So I don’t know – this is in 2014. And can you remember there was a movie coming out called The Interview?

It was a comedy movie and it depicted two guys trying to get an interview off Kim Jong Un, two Americans, James Franco and Seth Rogan. And they go to, they go to North Korea in the movie and the whole movie is just a mockery of North Korea. And as you can imagine, Kim Jong Un did not like this at all.

He did not because his family have always been big fans of movies, American movies. So now they see American movies taking the fun out of them. And so he has a meltdown, he has a temper tantrum. And so he directs Lazarus group to breach Sony Pictures. So there’s a lot, a lot released here. So there’s, you know,

as you can imagine, there’s unreleased movies, there’s personal employee information, future film plans, executive salaries, and their emails, internal emails, and altogether personal data of about 4, 000 employees.

So it’s a pretty, it’s a significant breach. And so at this point, people kind of know Lazarus aren’t, you know, they’re not messing around. Their big attacks following the Sony pictures hack was something you would see a lot with North Korean hackers. It was a test. It was a heist.

And this is how actually North Korea get a lot of their money. It’s true. Cyber heist. So effectively Lazarus used the SWIFT network to issue 35 fraudulent transactions, aiming to transfer nearly 1 billion from the Federal Reserve in New York to an account belonging to Bangladesh Bank.

Brad Hawkins: Now you’re talking about, you’re talking about the SWIFT network as in international money transferring, correct?

Patrick McMurphy: Yeah, exactly, exactly. They did not get the full 1 billion at all. They made off at roughly about 101 million though. The Federal Reserve actually managed to stop about upwards of 850 million, but all that money, that’s just getting funded back into the North Korean government. That’s the whole thing.

That’s, I mean, when you always look at what’s North Korea’s source of income, because you know, they get popped up by a number of other countries, including China, right? And hacking is, is actually a huge money getter for them.

Jim Brangenberg: I just I love it when you say that king kim jong un you know through a temper tantrum He was like 15.

I mean, I mean literally he became he became the ruler when kim jong il died And he was like a little kid. I mean he was literally, I don’t even think he was shaving yet when he became the you know, the evil dictator. It was just like Oh one million dollar, I mean just seriously It’s crazy.

All right world war three started on your computer when Al Gore unleashed the internet In 1994. We want to fortify your business against cyber attacks. Well, we need to do it with SaferNet. SaferNet is the answer. It’s the cybersecurity app that protects your enterprise on all fronts, including internet filters, VPN, antivirus, website filters. It has got so much! Go to safer net. com. That’s safer

net. com You’re tired of hearing me talk about it. You got to go check it out. It’s going to change your life.

Patrick McMurphy: So, you know, Lazarus made off with their a hundred million for the dictator and they then started planning what is probably today, one of the biggest hacks that’s ever happened in terms of just destruction. I can remember the day it happened. I was monitoring everything.

It was, I was writing a lot of cybersecurity blogs at the time. And I remember, I think Twitter and like five other websites started exploding with notifications over this thing. But it was called the WannaCry Ransomware Attack. It was May 12th, 2017. It was a global cyber attack that lasted 7 hours and 19 minutes.

It impacted institutes across the globe, even Chinese institute. So this is how powerful Lazarus were getting. They were turning on the Chinese. One of the biggest services, it was the National Health Service to NHS in Britain. They crippled it entirely. Europol estimated that it impacted 200, 000 computers in 150 countries, all universities, hospitals, everything.

And so what WannaCry ransomware did is that it targeted a Windows operating system vulnerability called Eternal Blue. Now Eternal Blue, I won’t get deep into what Eternal Blue was, but it was actually found by another state sponsored hacking group about a year previous, and it was then leaked on the dark web.

And Microsoft, I’m not even sure they were aware that it was leaked. It’s a vulnerability that allowed the ransomware to get into a machine and it would encrypt all the data on the machine and demand Bitcoin for decryption. But here’s the thing about WannaCry, this is how beautifully it was written. WannaCry is art, I don’t care what anyone says, this is how beautifully it was written.

That, unlike typical ransomware that, you know, can spread through, you know, one person gets an email and then they email someone else. All it takes is one machine in the network. WannaCry infects one machine in a hospital. That’s all it needs. And it spreads like a worm across networks, jumps through printers, jumps through phones, it jumps through everything without a single bit of user interaction. All it takes is one infection and the whole institute is locked down by WannaCry.

Brad Hawkins: Oh my word. And you’re talking about the entire network. So anything

Patrick McMurphy: Like a hospital network, a university network,

Brad Hawkins: Anything within a network is going to be affected without anything other than one probably, what, a phishing attempt?

Patrick McMurphy: It was a spear phishing attack, yeah. Yeah. Yeah. But yeah, that’s all it takes. The actual economic impact of WannaCry, it cost four billion in damages.

There was car manufacturers that had to stop, semiconductor factories had to close. And I mean, even if you look at the disruption of the NHS in England, I mean, there’s people to get major surgery, they couldn’t. People died, you know. It was, it was an incredibly devastating attack. Now, the resolution was almost like something from a movie.

There was a security researcher, now perhaps we’ll do an episode about him one day, he was a black hat turned white hat by the name of Marcus Hutchins. Now, these days, the FBI still treats Marcus like he’s a black hat, but what he actually did that at the end of this seven hours, he’d gone into the, he’d gotten the code for WannaCry and deployed it on a virtual machine in a closed environment and studied it.

And he actually found that Lazarus had left a kill switch inside the virus that if you hit, it would release all of the machines that are infected, which is, which is a crazy thing to leave in your very sophisticated virus. But Marcus Hutchins had found this, hit it, and the machines basically were released from the attack. But it was, it was huge. It was absolutely huge. But yeah, you know, as you said, for WannaCry and really for other attacks, spear phishing is one of Lazarus big moves. So spear phishing, unlike normal phishing, where you can email a thousand people, spear phishing is that you know the email of the CEO of a company or the dean of a university and you email them specifically with information for them.

And that’s how you get through it. Now in terms of membership there’s only one known member called Park Jin Hyuk. The thing with Park Jin Hyuk is that North Korea claims that he does not exist. So he’s definitely a member, I think. If North Korea says you’re not real, you’re probably, they’re big.

You’re probably real. But they’re, they’re still at large, you know, they’re still working. Yeah, I mean, they haven’t had a huge, they’ve had minor attacks against South Korea, but nothing huge since. They’re probably a little embarrassed for leaving that kill switch in, to be honest with you.

Jim Brangenberg: But, well, I mean, so they blew their whole deal to make money that day. I mean, they caused damages, but they didn’t make any money. ’cause nobody had to pay ’em any ransom?

Patrick McMurphy: No. No one made money. No one made money. But there, there was a ton of damages. But, you know, you know what, Jim, maybe there may have been a couple of individual companies that paid straight away or something, but anyone who held out during that would have had to pay nothing and got their machines released.

Jim Brangenberg: Wow, well, I wonder if that guy that left that kill switch in there, I wonder if he’s still alive today.

Patrick McMurphy: No, I’d say him and his bloodline are gone off the face of the earth.

Jim Brangenberg: That’s not very cool.

Wow should we be learning something here? I mean this ransomware stuff is it’s – what should we be learning?

Patrick McMurphy: You know, Jim, I think you kind of need to take a step back and look at state sponsored hackers as a whole. So every day, the last maybe two, three years, we turn on the news, there’s been a war on the news.

We see it. But in reality, for the last decade, there’s been a digital war going on underground. And, you know, if you see on the news there’s a war, you may say to yourself, Oh, thank goodness I’m not on the front line. Boy, being on the internet, you’re on the front line of that digital war, by the nature of your statehood. If you’re American, Canadian, European, Australian, you’re a valid target to state sponsored hackers. And you know, the thing is like, you know, in traditional warfare, you can wear a bulletproof vest, which you would have to, you need to be proactive about cyber security as well, and not reactive.

I mean, there’s very little point of crying foul when you’ve been hacked, when you didn’t wear any bulletproof vest at all to begin with, so.

Brad Hawkins: That’s such a, that’s a, such a great point. Patrick, I think it’s so important to be able to realize that we are in the middle of this. It is a real thing. So many people that I know even my good friends feel like, well hacking only happens to those people that are very wealthy or very important or, you know, whatever it is, but it’s happening everywhere all the time.

And you know, these ransomwares, is just so destructive. One of the exciting things that I feel is great is is with SaferNet, it isolates a computer. It keeps that computer to the place where it will not allow something to hop through the network and violate the entire network. Now that computer might end up being trashed if somebody clicks on a email, but it doesn’t allow it to go through the network and connect to all the other devices in the, in the network.

And so I think it’s so critical to understand we have to wear our bulletproof vest in the middle of a war. We just have to. And that’s what SaferNet’s all about, is how do we help people protect their businesses, protect their families, and make sure that they’re not going to be part of these these different attacks?

Jim Brangenberg: You heard it here. You’re on the front line of the digital war, the internet and everything digital has a dark side and many dark players. And you’re learning about them here on the Digital Desperados podcast. It’s why you need SaferNet by your side, go to safer net. com and get downloaded today. And so until the next time, click only on the attachments that you trust from those you trust and don’t forward them to anybody else and delete the rest.

Or you may become the next victim of a digital desperado, maybe even a state sponsored terrorism on your internet. Get SaferNet, and we’ll see you on the next episode.