Dive Brief:

• Energy providers in the U.S., Canada and Japan have been targeted by the North Korea state-sponsored threat actor Lazarus Group since February, according to Cisco Talos research published Thursday. 
• The group exploited Log4j vulnerabilities in VMware Horizon to gain access to enterprise networks and conduct espionage on behalf of the North Korean government to steal data and trade secrets, Cisco Talos threat intelligence researchers said. 
• To compromise its targets, the advanced persistent threat actor used two previously known malware strains, VSingle and YamaBot, and a previously unknown remote access trojan, discovered by Cisco Talos and called MagicRat.

Dive Insight:

Lazarus is one of a few North Korea government-linked threat actors targeting critical infrastructure. Other state-sponsored groups include Andariel, APT38, BlueNoroff, Guardians of Peace and Kimsuky.

“The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives,” Cisco Talos researchers wrote in a blog post.

The threat intelligence group detailed how Lazarus Group uses custom, self-developed malware to move across infected networks post-exploitation.

The command and control and payload-hosting infrastructure used by Lazarus and observed by Cisco Talos mirrors those shared in a June advisory from the Cybersecurity and Infrastructure Security Agency about threat actors’ continued attempts to compromise vulnerable VMware Horizon servers.

Lazarus, known for the Sony attack in 2014 and WannaCry ransomware attacks in 2017, has turned attention to blockchain and cryptocurrency organizations in recent months, underscoring its varied approach to achieve financial and extortion objectives.

The U.S. State Department in July doubled its reward up to $10 million for information on individuals associated with Lazarus Group and other malicious actors involved in targeting critical infrastructure.