KPKorea (Democratic People's Republic of)confidence: 50G0032G0082G0138

Lazarus GroupLazarus Group

Also known as: Operation DarkSeoul · Dark Seoul · Hidden Cobra · Hastati Group · Andariel · Unit 121 · Bureau 121 · NewRomanic Cyber Army Team · Bluenoroff · Subgroup: Bluenoroff · Group 77 · Labyrinth Chollima · Operation Troy · Operation GhostSecret · Operation AppleJeus · APT38 · APT 38 · Stardust Chollima · Whois Hacking Team · Zinc · Appleworm · Nickel Academy · APT-C-26 · NICKEL GLADSTONE · COVELLITE · ATK3 · G0032 · ATK117 · G0082 · Citrine Sleet · DEV-0139 · DEV-1222 · Diamond Sleet · ZINC · Sapphire Sleet · COPERNICIUM · TA404 · Lazarus group · BeagleBoyz · Moonstone Sleet · Black Artemis

Origin
KP
Known aliases
41
Target sectors
2
Attribution
State-sponsored

Profile

Since 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace. Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, Duuzer, and Hangman.

Aliases· 41

Operation DarkSeoulDark SeoulHidden CobraHastati GroupAndarielUnit 121Bureau 121NewRomanic Cyber Army TeamBluenoroffSubgroup: BluenoroffGroup 77Labyrinth ChollimaOperation TroyOperation GhostSecretOperation AppleJeusAPT38APT 38Stardust ChollimaWhois Hacking TeamZincApplewormNickel AcademyAPT-C-26NICKEL GLADSTONECOVELLITEATK3ATK117Citrine SleetDEV-0139DEV-1222Diamond SleetZINCSapphire SleetCOPERNICIUMTA404Lazarus groupBeagleBoyzMoonstone SleetBlack Artemis
G0032G0082

Target sectors· 2

GovernmentPrivate sector

Known victims· 19

  • South Korea
  • Bangladesh Bank
  • Sony Pictures Entertainment
  • United States
  • Thailand
  • France
  • China
  • Hong Kong
  • United Kingdom
  • Guatemala
  • Canada
  • Bangladesh

Incident types

EspionageSabotage

MITRE ATT&CK Group crosswalk

G0032G0082G0138

References

  1. https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/
  2. https://www.us-cert.gov/ncas/alerts/TA17-164A
  3. https://www.us-cert.gov/ncas/alerts/TA17-318A
  4. https://www.us-cert.gov/ncas/alerts/TA17-318B
  5. https://securelist.com/operation-applejeus/87553/
  6. https://securelist.com/lazarus-under-the-hood/77908/
  7. https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity
  8. https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

Actor
APT37
Actor
Operation Sharpshooter
Actor
Silent Chollima
Actor
BlueHornet
Actor
Operation Shadow Force
Actor
APT39
Sourced from MISP-Galaxy Threat Actor cluster. Curated by Adam Lundqvist, Founder at SQUR.