As reported by Reuters, the cybersecurity research and software developer Symantec has fingered the North Korean hacking group Lazarus for a recent string of mass hacks. The name Lazarus may sound familiar as they were blamed for the hack of Sony in 2014, the Bangladesh central bank heist of $81 million, and other well-reported cybersecurity incidents. In this case, the cyberattacks that Lazarus is being blamed for is a result of digital forensics that seem to indicate the group’s modus operandi.
The incidents in question involve 31 countries including the United States, Poland, Chile, Mexico, and Brazil. The targets were unnamed organizations, which means, possibly, that the organizations conduct classified operations. Government officials at entities like the FBI are refusing to comment to the press and Symantec itself is being rather coy with its evidence.
The verbal evidence that was shared by Symantec supposedly connects Lazarus due to four separate pieces of loader software similar to that used in the Sony hack and beyond. The malicious payload is reported to have been distributed by “websites that intended victims were likely to visit” i.e. a “watering hole” attack. Symantec claims that the targets were isolated by IP addresses corresponding with the reportedly 104 organizations.
The air of secrecy surrounding these supposed attacks is concerning. At the time of writing this, there is no detailed threat report on Symantec’s website about this incident. That is problematic for any security research company when reporting on a hacking incident. Additionally, government officials are not commenting on the incident. The only evidence is claims that Symantec itself has made to the press, and honestly, the statements are not objectively verifiable evidence.
Nobody in the cybersecurity community can analyze source code or anything else related to these attacks, so how can we verify Symantec’s claims? If classified data is the concern, why even report these incidents to the press in the first place? How do we know that Lazarus was behind this and not some other group (or groups) that obtained the malicious source code on the Dark Web?
I’m going to be honest here: I don’t know if Symantec is acting in the best interest of the security community. We need to be able to work together, especially if the threat is as as dangerous and far-reaching as is being claimed. I cannot accept the reports on word alone, and frankly, I’m slightly disturbed that we are almost hoping that Lazarus is behind this. In the Reuters report, Symantec was quoted as researching a prior incident affecting Polish banks that “weak evidence” connected the hackers to the case.
Is there a case of attributing evidence based on personal biases or agendas occurring here? Honestly, I don’t know, but I do know that such massive claims implicating a foreign power publicly need to be backed up by more than words. Either go public or don’t, but if you choose to go public you must provide detailed data to verify your claims.
Photo credit: Flickr / Stephan