Kaspersky Lab found a “direct link” between the Lazarus group banking heist hackers and North Korea.

While Lazarus is a notorious cyber-espionage and sabotage group, a subgroup of Lazarus, called Bluenoroff by Kaspersky researchers, focuses only on financial attacks with the goal of “invisible theft without leaving a trace.”

The group has four main types of targets: financial institutions, casinos, companies involved in the development of financial trade software and crypto-currency businesses.

Although Lazarus has attacked manufacturing companies, media and financial institutions in at least 18 countries since 2009, Lazarus/Bluenoroff regrouped at the end of 2016, and Kaspersky Lab said the group “rushed into new countries, selecting mostly poorer and less developed locations, hitting smaller banks because they are, apparently, easy prey.”

Kaspersky has identified Bluenoroff watering hole attacks in Poland, Uruguay, Nigeria, the Russian Federation, Mexico, India, Peru, Norway and Australia.

Kaspersky Lab

The group seems to favor the strategy of silently integrating into running processes without breaking them. Kaspersky Lab says Bluenoroff’s malware “might be secretly deployed now in many other places, and it isn’t triggering any serious alarms because it’s much more quiet.”

The group starts by using a simple backdoor that doesn’t have much impact on the group if it is burned. If, however, the first stage backdoor reports an interesting infection, then the group deploys more advanced code and persistent backdoor, which is carefully protected from accidental detection.

But a hacker in the group did mess. Forensic analysis on a hacked server in Europe revealed that the attacker “used multiple IPs: from France to Korea, connecting via proxies and VPN servers. However, one short connection was made from a very unusual IP range, which originates in North Korea.”

The logs were likely not wiped because the hacker installed Monero cryptocurrency mining software, which locked up the system.

“The software so intensely consumed system resources that the system became unresponsive and froze,” Kaspersky Lab said. “This could be the reason why it was not properly cleaned, and the server logs were preserved.”

Kaspersky Lab said, “Lazarus is not just another APT actor,” but it didn’t go as far as to name the North Korean government. The security firm did say, however, “the level of sophistication is something that is not generally found in the cybercriminal world. It’s something that requires strict organization and control at all stages of operation. That’s why we think that Lazarus is not just another APT actor.”

This is not the first time researchers have suggested Lazarus is linked to North Korea. Some of the banking heists had similar coding techniques as those used in the 2014 Sony hack. Kaspersky didn’t rule out the possibility that the North Korean IP could be a false flag such as when the group inserted Russian commands into its malware, using words that were inaccurately translated via online tools, in an attempt to make attribution more difficult and to send researchers sniffing a false lead.

Nevertheless, Kaspersky researchers said, “This is the first time we have seen a direct link between Bluenoroff and North Korea.” But “is it North Korea behind all the Bluenoroff attacks after all? As researchers, we prefer to provide facts rather than speculations. Still, seeing IP in the C2 log, does make North Korea a key part of the Lazarus Bluenoroff equation.”

Kaspersky Lab detected Bluenoroff malware samples in March 2017, “showing that attackers have no intention of stopping.”

“We’re sure they’ll come back soon,” said Vitaly Kamluk, head of the Global Research and Analysis Team APAC at Kaspersky Lab. “In all, attacks like the ones conducted by Lazarus group show that a minor misconfiguration may result in a major security breach, which can potentially cost a targeted business hundreds of millions of dollars in loss. We hope that chief executives from banks, casinos and investment companies around the world will become wary of the name Lazarus.”

Kaspersky researchers discussed the group’s infiltration methods and relation to attacks on SWIFT software used in banks for transactions. Additionally, the security firm released “crucial Indicators of Compromise (IOC) and other data to help organizations search for traces of these attack groups in their corporate networks.”

Researchers urged “all organizations to carefully scan their networks for the presence of Lazarus malware samples, and if detected, to disinfect their systems and report the intrusion to law enforcement and incident response teams.”