According to a joint government investigation, the North Korean hacker group Lazarus has infiltrated the South Korean court’s computer network for two years, extracting 1,014GB of data, including personal information. Lazarus is believed to have been established in 2007 and recognized as a de facto North Korean hacker group due to its close ties with North Korea’s Reconnaissance General Bureau.
According to the South Korean National Intelligence Service and other sources on the 12th, Lazarus is a hacker organization linked to the Reconnaissance General Bureau, the command center for North Korea’s operations against the South. Along with Kimsuky and Andariel, it is known as one of North Korea’s three major hacking organizations. Previously referred to as HIDDEN COBRA, the U.S. Treasury Department believes the group was organized in early 2007.
Lazarus Group has previously been implicated in the 2014 Sony Pictures hack, the 2016 Bangladesh Central Bank hack, and the 2017 WannaCry ransomware incident. Last month, police detected evidence of Lazarus and other North Korean hacking units launching comprehensive attacks to steal South Korean defense technology.
Mainly since 2017, beginning with an attack on the UK’s National Health Service (NHS), the group has been stealing virtual assets from cryptocurrency exchanges, decentralized exchanges (DeFi), and Play to Earn (P2E) projects. Last year, they stole virtual assets worth $1.6 billion, and analyses suggest that the virtual assets obtained through hacking are being used for North Korea’s missile development. In February last year, the South Korean government designated Lazarus Group as a target for North Korea-related cyber sanctions.
The South Korean National Police Agency’s National Investigation Headquarters revealed on the 11th that Lazarus Group had intruded into the court’s computer network from January 7, 2021, to February 9, 2023, and transmitted 1,014GB of data externally. This included handwritten statements containing personal information such as social security codes and bank account numbers, statements of increased debt and insolvency, marriage certificates, and medical certificates.
The National Investigation Headquarters stated, “The attacker had been infiltrating the court’s computer network since at least January 7, 2021, but we could not determine the initial intrusion time and cause as the detailed records of the security equipment at the time have already been deleted.” The investigation only identified 5,171 documents, but they could not detect even the nature of the others.
They said, “The court that received the leaked data will determine whether it contains personal information and calculate the number of victims.” Still, as the confirmed data only accounts for 0.5% of the total data leaked externally, it is expected to be challenging to estimate the actual scale of the damage.
The investigative authorities have concluded that the North Korean hacking organization carried out this incident based on the type of malicious program used in this crime, the payment history of rented servers using virtual assets, and IP addresses. The National Investigation Headquarters explained, “Upon comparing and analyzing this hacking incident with previous ones confirmed to be from North Korea, we found that most of the malicious code Lazarus Door, server hacking techniques, etc. used by Lazarus were identical.”
Meanwhile, the National Intelligence Service is verifying related circumstances that North Korea is supplying obsolete stock weapons to Russia and illegally procuring foreign parts for the production of new weapons. The National Intelligence Service stated today, “We are conducting a detailed analysis as there are circumstances related to this issue, such as the inclusion of North Korean 122mm multiple rocket launchers from the 1970s among the weapons used by Russia in the attack on Ukraine,” and “We are continuously tracking matters related to military cooperation between Russia and North Korea.”
Most Commented