North Korea-aligned hackers branching out into mobile phones: report

The Lazarus Group, the North Korea-linked hacking group that famously attacked Sony Pictures in 2014, has made its first efforts to hack mobile phones, according to McAfee researchers.

“[Two weeks ago], the mobile team came to my team with malware targeting South Korea,” McAfee Lead Scientist and Principal Engineer Christiaan Beek told The Hill. “It contained artifacts we had seen before.” 

The malware is transmitted through a tainted version of a Korean-language bible study application. The legitimate version of the app from the Google Play store has been downloaded 1,300 times. It is unclear where victims are downloading the fake version of the app.

Lazarus Group is best known in the United States for catastrophically interrupting business at Sony Pictures in response to the movie “The Interview,” which depicted the assassination of North Korean leader Kim Jong Un.

The group has also been attributed to destructive attacks on South Korea government systems and, since 2015, a series of digital bank robberies totaling hundreds of millions of dollars. 

{mosads}

The group has also been tied to this year’s WannaCry malware outbreak that took a heavy toll on international businesses and government networks, including briefly shuttering hospitals throughout the United Kingdom. 

Beek said that the malware shares many attributes with the desktop malware Lazarus has used in the past, including a proprietary, fake version of the Transport Layer Security protocol, and the use of the same command and control servers the group has previously used. 

He added that the intention of the malware was not immediately clear and speculated it may have been intended as a “trial flare” for new mobile attacks. 

Another possible explanation, shared by McAfee Monday afternoon, is that Lazarus intended to target the South Korean group GodPeople that has supported banned church groups in the North. GodPeople manufactured the authentic version of the app.

The malware is detailed in a report McAfee released Monday. While the report links the attacks to Lazarus, it does not explicitly link Lazarus to North Korea. However, several Lazarus attacks, including the Sony and WannaCry attacks, have been linked by U.S. and British Intelligence to North Korea. 

Lazarus has recently been seen largely in attacks intended on generating revenue for the heavily sanctioned North Korean regime. 

Beek suggested Lazarus likely had multiple divisions, including a financial crime group and an espionage group, each working separately with similar malware. 

This story was updated at 12:48 p.m.