North Korean state sponsored hackers are implicated in the interception of online payments from American and European shoppers, Sansec research shows.

Hackers associated with the APT Lazarus/HIDDEN COBRA group were found to be breaking into online stores of large US retailers and planting payment skimmers as early as May 2019, says the Sansec Threat Research Team. "Previously, North Korean hacking activity was mostly restricted to banks and South Korean crypto markets, covert cyber operations that earned hackers $2 billion, according to a 2019 United Nations report. As Sansec’s new research shows, they have now extended their portfolio with the profitable crime of digital skimming," says the research team. 

Sansec researchers have attributed the activity to HIDDEN COBRA because infrastructure from previous operations was reused. Furthermore, distinctive patterns in the malware code were identified that linked multiple hacks to the same actor. 

Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile phishing solutions, explains: 

“Magecart-like skimming campaigns can be difficult to track and protect against. While it hasn’t yet been disclosed how the group was able to gain access to the infrastructure of certain retail sites, the majority of compromises begin with a phishing communication. Traditionally, this has been through email, but with a heavier reliance on mobile devices during the global shift to remote work, SMS, 3rd-party messaging apps, and social media platforms are being delivery surfaces for credential harvesting. 

Once a malicious individual or group has login credentials, they can quietly inject malicious code into the checkout page of a retail site. Much like a trojanized version of a legitimate mobile app, this is close to impossible for a consumer to spot, and if the retail organization doesn’t have proper security measures built in across all channels, they might not recognize the change in their code until it’s too late. 

Traditionally, seeing a state-sponsored group carry out a card skimming campaign might seem curious, especially if it was a wealthier nation. Magecart is far less complex than what the world is accustomed to seeing from nation-states and is usually carried out by individuals or smaller groups for incremental financial gain. However, North Korea is so heavily sanctioned and struggles economically, so it will clearly use whatever tactics it can to get access to funds. 

Code injection attacks like this are impossible for a consumer to see and incredibly difficult for an organization to spot if they don’t have the right security tools in place. Much like trojanizing a legitimate version of a mobile app, injecting malicious code into a webpage can be a cheap and easy way to grab a handful of valuable personal data. 

So, what does this say about the group's current TTPs and how they may have evolved over the years?

Lazarus Group has targeted financials for years with a past focus on institutions and online cryptocurrency exchanges. The addition of Magecart to their arsenal shows that they’re taking any measures possible to gain access to funds. By likely using phishing attacks to gain access to employee login credentials, it also shows that they are leveraging more parts of the risk landscape to covertly gain access to organizations’ infrastructure. Across the board, we're seeing governments take on more complex means to track and compromise civilians for various reasons, such as the Chinese government targeting the Uighur population through mobile devices and applications.

Organizations need to lock down every potential risk vector - from customer payment platforms to employee mobile devices. By the same token of giving up their credit card data, an employee could be phished for their login credentials from their mobile device and give a malicious actor access to highly sensitive data inside the corporate infrastructure. Whatever angle is taken, now is a time where IT and security teams must evaluate every possible threat vector that an attacker could take advantage of.”

Brandon Hoffman, CISO, Head of Security Strategy at Netenrich, a San Jose, Calif.-based provider of IT, cloud, and cybersecurity operations and services, notes:

“It is certainly not a surprise that nation-state activity would crossover into the realm of cybercrime. It has been discussed in the intelligence circles for years that the boundary between nation state and cybercrime is becoming blurred. Nation state actors have been re-purposing, buying, and using more mainstream cybercrime tools and services to obfuscate their activity. The fact that nation state activity is now directly related to perpetrating attacks for financial gain is not a surprise because many of these countries need another source of funds to cover costs of teams and to fuel the real goals of nation state hacking. Magecart activity may be the first but won’t be the last. From their perspective, if they have the tools and skills to perform advanced persistent threat activity, why wouldn’t they use it to fill the coffers as well. 

To the second point, considering the history of Lazarus group this shift to more transactional fraud activity makes sense. Back in 2018 a DOJ criminal complaint was unsealed that named one purported member of Lazarus group in activity related to stealing $81 million from a bank, the Sony attack, and even WannaCry ransomware. The fact that Lazarus group, purportedly, was involved in ransomware activity and bank fraud over the years speaks directly to the evolution of these TTPs as in line with the current cybercriminal landscape. I would expect them to keep pace with in vogue methods and techniques of fraud and exercise their opportunity when they can.”