Today, SentinelLabs reveals new research that establishes the first known link between the pervasive TrickBot crimeware and North-Korean APT group Lazarus. In this post, we explain the significance of the discovery and get some unique insights from SentinelOne’s Chief Security Advisor Morgan Wright on why this ground-breaking research changes the game for enterprise security.
1. What Did SentinelLabs Discover About Crimeware and APT Lazarus?
Research by the SentinelLabs’ team led by Vitali Kremez shows that a new TrickBot derivative project called ‘Anchor’ allows TrickBot customers access to higher-level APT-type functionality, tools and methods. These include loading frameworks such as Metasploit, Cobalt Strike and PowerShell Empire for further post-exploitation and clean-up routines to remove evidence of an attack. In their report, the SentinelLabs team reveal evidence that a known Lazarus toolkit, PowerRatankba, was loaded via the TrickBot Anchor project, thus unmasking the relationship between one of the world’s most successful crimeware operations and a nation-state actor interested not only in espionage but also financial reward.
2. Why is the Finding About TrickBot and Lazarus So Important?
SentinelOne’s Chief Security Advisor, Morgan Wright, explained that this is the first time we’ve seen North Korea – a state sponsor of terrorism and one of the top four adversaries we have in cyberspace, besides Russia, China and probably Iran – working together with a criminal syndicate.
Morgan “The SentineLabs report on Anchor talks about how North Korea isn’t just exploiting information for espionage, but also stealing and monetizing information in order to fund their government. This has huge implications for the business world, for decision makers, for how we’re going to spend, what we’re going to defend against and what the real threats are, and it shows the innovation that our adversaries are engaging in to stay a step ahead.”
3. What Are the Implications for National Security?
Morgan: “Had this not been discovered, we would never have realized that these crimes against our businesses are actually helping to fund terrorism. They are helping to fund North Korea’s nuclear weapons development. The money they generate through these cybercrimes is then used back against the United States and other nations.”
“Knowing what we now know thanks to this unique research, it gives our decision makers, especially U.S. Cyber Command, the NSA, people who have a responsibility for offensive cyber operations, the chance to look at this and say, what can we do now to stop these attacks? What can we do now to put another tool in our arsenal so that we can blunt these attacks and that we can also give warning, give intelligence to our partners, to our businesses?”
“From a policy standpoint, decision makers can now look at this new threat information to make different decisions. We need, also, to recognize that we don’t know how long this kind of activity has been going on undetected until now. People need to ask are we vulnerable? Have we been hit? Can we do some things to mitigate this?”
4. What Does The SentinelLabs Report Mean For CISOs?
Morgan: “One of the first things CISOs ought to be doing with this is educating the leadership, educating the executives to explain why this thing is important and why they need to be able to defend against it. CISOs have to get the buy-in from the top as well as from the people who have to implement policy for each company. The SentinelLabs report on the Trickbot Anchor project is 31 pages of unique research, not re-analysis or aggregated findings from other sources.”
“This report gives a lot of information for CISOs to take affirmative and very confident actions. They can implement this into their overall policy, into their overall security architecture, into their overall schemes, and make sure they go back and look to see if they are vulnerable, if they’ve been hit, and what actions they need to take going forward.”
5. What Else Can You Tell Us About SentinelLabs?
Morgan: “Many people use third party information or they buy information from other sources. This SentinelLabs report is the product of SentinelOne’s own research division brought to you by people with vast amounts of experience. The combined industry experience of everybody on the team runs from the FBI to national security to big companies, big pharma, big banks. You get the best analysis, the best information, that you can take immediate steps to use. I can’t wait to see what they come up with next.”
SentinelLabs is a research division designed to identify new attack vectors and mitigate threats impacting businesses.