A notorious cybercriminal group backed by the North Korean government has experimented with ‘supply chain’ attacks, wherein hackers seek to infiltrate high-profile targets by first compromising their suppliers, according to new research from security company Kaspersky Lab. Its targets include an IT asset monitoring company. The group, named Lazarus, is known to be highly effective and cybersecurity experts advise that companies strengthen their risk assessments of new and existing suppliers.
“When a sophisticated threat actor like Lazarus is adopting that kind of approach, then clearly that’s a potential worry.” (Photo by NurPhoto/iStock)
In its latest quarterly APT trends report, Kaspersky Lab says that Lazarus, an APT backed by the North Korean government, has waged at least two supply chain attack campaigns in the last year. Strains of malware associated with the group were detected on the systems of a Latvian IT asset monitoring company and a South Korean think tank.
Lazarus is among the most notorious state-backed cybercrime groups. It was implicated in an audacious attempt to steal $1bn from the Central Bank of Bangladesh in 2016. The group was initially motivated by geopolitics, according to Kaspersky Lab, but has since moved on to hacking for financial gain. Thanks to capabilities such as Lazarus, North Korea is now “probably the most sophisticated bank robber around,” former GCHQ director Robert Hannigan told Tech Monitor earlier this year.
Supply chain attacks, wherein hackers compromise targets through their less-secure suppliers, have grown in volume in recent years. High-profile examples include last year’s attack on IT management vendor Solar Winds, which resulted in more than 30,000 public and private sector organisations being compromised, and the breach at Kaseya MSP, which led to as many as 1,500 of its customers falling victim to ransomware.
Lazarus is not the only APT pursuing supply-chain attacks. Chinese-speaking APT BountyGlad has exhibited “an increase in strategic sophistication” of such attacks, according to an earlier report from Kaspersky Lab. The technique’s growing popularity among APTs is of little surprise, says David Emm, principal security researcher at the company. “If you can go to the head of the stream, then obviously, it gives you scope for targeting people further down that stream.”
But for a group as proficient as Lazarus to be pursuing supply chain attacks is cause for alarm, Emm adds. “When a sophisticated threat actor like Lazarus is adopting that kind of approach, then clearly that’s a potential worry because it gives them a springboard into a wider attack surface.”
It is a trend that is likely to continue, says Javvad Malik, lead security awareness advocate at security platform Knowbe4. “Going forward, we can expect that Lazarus and many other groups will turn their attention to attacking companies in the supply chain,” he says. “These are usually smaller companies, or ones which have weaker security controls.”
How to mitigate the risk of supply chain attacks
Already, suppliers are a considerable source of cybersecurity risk. Earlier this year, a survey of 1,200 IT and procurement leaders by security vendor BlueVoyant found that 93% have suffered a cybersecurity breach because of weaknesses in their supply chain or third-party vendors, and 97% have been negatively impacted by a cybersecurity breach that occurred in their supply chain.
Awareness of that risk is improving, however, the survey found: 87% of respondents said that third-party risk was a priority, (either ‘somewhat’ or a ‘key’ priority), up from 65% last year.
In the face of growing supply chain attacks, companies must actively assess and mitigate the cybersecurity risk associated with each of their suppliers, says Emm. “Facilitating certain conditions on contracts when they’re looking to bring a supplier on board, or expecting certain certifications or certain commitments from a supplier [can help].”
Sharing cybersecurity knowledge and expertise with suppliers, who maybe have fewer resources to defend themselves, can also help to reduce these risks, Emm adds. “Sharing your knowledge and capability in terms of the threat landscape is useful for that supplier and helps to make your own system resilient.”
