North Korean state-backed hackers appear to be co-operating with Eastern European cybercriminals, a report said in a finding suggesting digital gangsters and state-backed spies finding common ground online.
Mountain View, California-based SentinelOne says the Lazarus Group – which American prosecutors accuse of organising the leak of emails from Sony Pictures and stealing millions of dollars from the Central Bank of Bangladesh – is accessing some victims through a cybercrime gang dubbed “TrickBot.”
“For me it’s the biggest crime ware story since I don’t-know-when,” said Vitali Kremez of SentinelOne. “The Lazarus group has a relationship with the most sophisticated, most resourceful Russian botnet operation on the landscape.”
Hints that Lazarus and TrickBot operators are co-operating surfaced previously. In April, a BAE researcher said she and others were weighing the theory that the cybercriminals were selling access to compromised organisations to Lazarus, a bit like a fence selling stolen door keys to a burglar.
In July, the cybersecurity arm of Japanese telecommunications company NTT speculated North Korea might be collaborating with Lazarus and TrickBot operators.
Kremez said he found evidence. TrickBot communicated with a Lazarus-controlled server hours before the same server was used to break into the Chilean interbank network earlier this year, he said. American officials blamed the multi-million dollar heist on North Korea.
“That’s the strongest possible evidence linking to a celebrated case of Lazarus intrusion,” said Kremez.
Kremez said TrickBot operators were likely renting out services to the North Koreans or working on a commission basis.
The judgment was seconded by Assaf Dahan of Boston-based Cybereason, which is publishing its own, separate report on Trickbot’s operations. He reviewed SentinelOne’s research and said its conclusions were credible, adding he was certain the cybercriminals knew they were dealing with the North Korean government.
“Whether they care or not is a different thing,” he said.