The infamous Lazarus Group has again been linked to financially-motivated cyberthreats around the world, because sanctions make NKorea more desperate.

An attack against an organization working in the cryptocurrency vertical has been linked to the notorious Lazarus Group (APT38)—a highly-skilled, financially-motivated threat actor whose interests reportedly align with the Democratic People’s Republic of Korea (DPRK).

By connecting evidence obtained from the attack with existing research, the report by cybersecurity solutions provider F-Secure concludes the incident was part of a campaign targeting organizations in the cryptocurrency vertical in the United States, the United Kingdom, the Netherlands, Germany, Singapore, Japan, and other countries.

The tactical intelligence report provides an analysis of samples, logs, and other technical artifacts recovered during an incident response investigation at an organization working in the cryptocurrency vertical. According to the report, the malicious implants used in the attack were nearly identical to tools reportedly used previously by Lazarus Group.

The report identifies the tactics, techniques, and procedures (TTPs) used during the attack, such as spear-phishing via a service (in this case, using LinkedIn to send a fake job offer tailored to the recipient’s profile). Notably, the Lazarus Group had invested significant effort to evade defenses during the attack, such as by disabling antivirus software on the compromised hosts, and removing evidence of their malicious implants. However, they had not done enough to prevent forensic investigations from recovering evidence of their activities.

According to F-Secure’s Director of Detection and Response Matt Lawrence: “The evidence suggests this is part of an ongoing campaign targeting organizations in over a dozen countries, which makes the attribution important. Companies can familiarize themselves with (the details of this incident) and the Lazarus Group in general, to protect themselves from future attacks.”

Based on phishing artifacts recovered from the attack, researchers were able to link the incident to a wider, ongoing campaign that has been running since at least January 2018 in at least 14 countries.