Lazarus Subsidy Seen Directing Attacks Towards South Korea
Target: South Korean corporations and related entities
Attack Vector: Watering hole attacks
Threat Actor: Andariel
Summary: The Lazarus group have been seen carrying out state-sponsored attacks on behalf of the North Korean government for some time. A subsidy of the group, identified as Andariel Group, has now emerged. They have been observed exploiting a zero-day vulnerability in ActiveX and subsequently infecting South Korean targets with malware or to carry out theft of data.
Andariel are a little known state sponsored threat actor and have been active since 2014. The group has historically targeted South Korea, with commercial entities which are widely used within the country also used as an attack vector. The group are known for their use of command and control infrastructure and malware with the March 2013 DarkSeoul attack a notable example of their work.
Risk assessment summary: This threat is assessed as 3e MODERATE. North Korean threat actors have typically shown a high capability in their actions and Andariel are no different. The ability to exploit vulnerabilities and push out malware together, could lead to particularly effective attacks. Currently, North Korean state-sponsored activity is expected to continue at the same level, but recent diplomatic missions in South Korea and the West could change this forecast in the long run.