October 17, 2022
TOKYO – The North Korean hacker group Lazarus has conducted cyber-attacks targeting Japanese crypto asset companies, according to the National Police Agency.
It is unusual to name a suspected attacker before taking such actions as an arrest, but in this case, authorities have adopted a method called “public attribution,” using it in Japan for the fifth time.
Although perpetrators who carry out cyber-attacks from overseas are rarely identified, the country involved can by determined through the analysis of viruses and other investigative methods. Recently, the Japanese government has focused on public attribution, in which the name of the main attacker, its purpose, methods and other information are made public, because it is regarded as an effective tool to deter attacks.
According to a senior NPA official, Lazarus sent phishing emails to employees of target companies, pretending to be executives of cryptocurrency companies, and communicated with them via social media to infect their computers with malware.
Some of the companies had their internal systems hacked and cryptocurrency stolen. After receiving reports of damage, regional police across the nation investigated the cases together with the NPA’s special investigation unit on cyber-attacks, which was established in April this year. Their investigation led to identifying Lazarus as the perpetrator.
Lazarus has close ties to North Korea’s reconnaissance general bureau, which is its foreign intelligence agency, and is believed to have been involved in a WannaCry ransomware attack in 2017 targeting banks and other institutions around the word. In April this year, the U.S. Federal Bureau of Investigation blamed Lazarus and other hackers for the theft of cryptocurrency worth about ¥78 billion.
The NPA has not disclosed individual domestic cases linked to Lazarus. According to sources, Lazarus is believed to have been involved in the theft of about ¥6.7 billion in Bitcoin and other cryptocurrency from the Zaif crypto exchange in 2018, as well as a case in which Ripple and other cryptocurrency worth about ¥3.5 billion disappeared from Bitpoint Japan in 2019.
On Friday, the NPA jointly released an alert with the Financial Services Agency and the National Center of Incident Readiness and Strategy for Cybersecurity, saying it was highly likely that Japanese businesses have been targeted by Lazarus for several years. As a countermeasure, the authorities urge people not to open email attachments carelessly.
“Lazarus initially targeted banks in various countries, but recently it has been aiming at crypto assets that are managed more loosely,” said Katsuyuki Okamoto, 56, of the information security firm Trend Micro Inc. “It’s important to engage in public attribution, as it will raise public awareness of the perpetrator’s tactics and prompt people to take measures.”