The Lazarus group: North Korean scourge for +10 years

Responsible for some of the largest cyber attacks worldwide

30 June 2022

By NCC Group

In this article

  • The North Korean threat actor, Lazarus, has operated for more than 10 years and is behind infamous cyber incidents such as the attack on Sony Pictures in 2014 and the spread of the WannaCry ransomware in 2017.

  • Unlike other state actors, Lazarus is highly financially motivated and attempts to boost the feeble North Korean economy.

  • Due to government support and instigation, North Korean threat actors face no risk of prosecution in their home country; on the contrary. It’s therefore very likely that the Lazarus group will continue to operate for years to come.

State actors are cyber threat groups that operate in the interests of their state. They generally engage in espionage, stealing sensitive information to benefit their homeland politically or economically; Sometimes, they perform sabotage, as part of broader military operations, for reasons of national security or to political ends. They are rarely financially motivated, and this is where the North Korean threat group known as Lazarus differs from most other state actors: starting in 2009, it robs banks and hacks into cryptocurrency exchanges to fill its state coffers.

Boosting the North Korean economy with WannaCry ransomware and other nation state cyber attacks

Isolated from the rest of the world, a political pariah, and facing sanctions, the North Korean economy is in dire straits. The regime has found cybercrime as one of its ways to boost the economy; And the regime needs money (and knowledge) to further its national ambitions, such as the development of missiles and nuclear weapons. To get there, North Korean cyber criminals conduct attacks on banks and cryptocurrency exchanges and export ransomware.

Lazarus gained notoriety for its attack on Sony Pictures in 2014 and an ingenious cyber heist on the Central Bank of Bangladesh in 2016 that stole $81 million. That loot, however, was but a fraction of what it could have been, but more on that later. In May 2017, Lazarus spread the WannaCry ransomware, encrypting victims' files and demanding a ransom between $300 and $600 in bitcoin to unlock their data. The attackers presumably withdrew approximately $150.000 worth of bitcoin several months after the attack. More than 200,000 computers across 150 countries were hit, with total estimated damages ranging from $4 billion to even hundreds of millions to billions of dollars. In the UK, for example, the national health service suffered a particularly hard blow; emergency departments were affected, and urgent appointments had to be rescheduled. Total estimated damage for the NHS: £ 5,9 million.

A strongly motivated threat actor

These and other sophisticated attacks have shown Lazarus to be a formidable threat group. However, the group is generally perceived not to be on par with many other state-backed threat groups. Our research into adversarial operations indicates that Lazarus consists of different teams of varying quality; top teams exhibit highly skilled operational capabilities, but some activities appear to be executed by lower-tier operators. There is also a suspicion that other hackers are carrying out attacks on behalf of Lazarus. However, the teams are strongly motivated to continue until they reach their goal.


Lazarus develops their own attack tools and malware, can use innovative attack techniques, works very methodically, and takes their time. In particular, the North Korean methods aim to avoid detection by security products and to remain undetected within the hacked systems for as long as possible.

Get monthly updates on the latest threat intel straight in your inbox.

Sign up for our Threat Pulse newsletter.

More reckless than Russian threat actor groups

At the same time, North Korean threat actors distinguish themselves from other sophisticated groups by operating more recklessly, as if they are not afraid of being caught. In any case, they have nothing to fear from the North Korean government; after all, they operate in the interests of the state and their Great Leader. This gives North Korean actors even more room to achieve their goals than state actors from other countries. The country is not or hardly sensitive to external (political) pressure to comply with internationally accepted rules. The country has no regard for what other countries consider acceptable behavior. Now it is also said about Russia that nothing hinders hackers there. But the sudden disappearance of the notorious Russian groups DarkSide and REvil after their recent disruptive ransomware attacks makes it likely that Russia has succumbed to American political pressure.

State-run training

Free internet does not exist in North Korea. The government completely controls internet access. The possibility that North Korean hackers can do anything on their own is, therefore, virtually impossible. All cyber attacks are undoubtedly explicitly authorized or even initiated and directed by the regime. Moreover, the hackers are known to be recruited and trained by the government. Thousands of young North Koreans, the potential hackers, are selected as early as the age of 11 and are given privileges such as spacious apartments and exemption from military service.


As mentioned above, the free internet does not exist in North Korea, while aspiring hackers need to gain experience with it. Hence, the talents are sent to China - the only country that still maintains reasonable relations with North Korea. In China, they learn how computers and the internet are used in the free world before going to work for the regime as a hacker. In addition, aspiring hackers are likely to be recruited from the military and technical universities.

The attack on Sony by The Guardians of Peace: A matter of revenge?

Lazarus has been an active cyber collective since 2009. Its most high-profile hack took place in 2014. The target was Sony Pictures Entertainment. According to Sony itself, the attack caused $15 million in damages, covered by the company's insurance. Other estimates range from $35 million to more than $85 million in recovery costs, not to mention the massive reputational damage. The attack was carried out by The Guardians of Peace which, it later became known, was made up of Lazarus members. The hackers had reportedly been operating in Sony's systems for more than a year before attacking. During the attack, large amounts of data were siphoned off that were later published bit by bit. The hackers also had access to unreleased films from Sony Pictures as well as emails and the personal information of thousands of employees.


There was plenty of speculation about the real purpose of the attack. It could be an act of revenge because Sony wanted to release a movie in which the North Korean leader played a very unwelcome role. The Guardians of Peace, in defiance of their name, have also threatened harsh action against those who would go see the film. The North Korean government has denied any involvement, of course. There are also doubts as to whether it was North Korean hackers. Given the highly sophisticated attack, it could also have been Russian hackers. Enlisted by the North Korean government, though.

The Bangladesh Bank heist: “Only” $81 million loot

In February 2016, the Lazarus Group successfully managed to raid Bangladesh Bank. Hackers began transferring funds totaling $951 million, almost the entire contents of the Bangladesh Bank's New York Fed account. As with the attack on Sony, the hackers had ample time to prepare everything. In retrospect, it turned out that they had been accessing Bangladesh Bank's computer systems for a year. They got in by sending an email with an application to some Bangladesh Bank employees in January 2015. One of the employees opened the email, downloaded the documents with malicious software, and the bank got infected.


The hackers were very meticulous and even managed to remotely sabotage a printer used to record transactions on paper to avoid detection. That Lazarus did not get the intended loot of nearly a billion dollars in the end, but "only" $81 million, was due to a curious coincidence. A bank branch in Manila to which the hackers wanted to transfer funds was located on Jupiter Street. However, 'Jupiter' also turned out to be the name of a suspicious Iranian ship, which set off an alarm at the Fed, after which all but five transactions were halted. These five transactions totaled $101 million. A similar coincidence then stopped another $20 million: A bank employee saw a spelling error and reversed the transaction.

A shift in targets

North Korean cyberattacks primarily aim at the regime's historical archenemies: South Korea and the U.S. Typically, the various components of the Lazarus collective attack government agencies, defense units, financial institutions, and industrial conglomerates. The group has supplemented these lucrative and politically interesting targets in the mid-2020s with biotech companies and universities engaged in Covid-19 research. North Koreans are also susceptible to corona, and the autarchic country is no doubt eager to make its own vaccine. There are also signs that Lazarus is targeting the transportation sector. There will be an economic consideration behind this, as during pandemics, for example, container shipping goes through a huge spike with unprecedented price increases and, therefore, more revenue.

No goodbye to the Lazarus corporation anytime soon

In December 2020, the U.S. Department of Justice filed charges against three North Korean hackers for stealing $1.3 billion in cryptocurrency, among other things. Whether it will ever come to arrests and trial, let alone deter Lazarus, is highly unlikely. Not much can be expected from politics either. Under President Donald Trump, it seemed for a while that the U.S. was getting a better relationship with "little rocket man" Kim Jung-un, but it hasn't come to that. On the contrary, North Korean attacks have continued after the rapprochement attempts between the U.S. and North Korea in 2018. Due to government support and direction, cyber-attacks have become a thriving "field" in North Korea, both for classic espionage and to supplement its dire finances. The national interest, or rather the interest of the regime of Kim Jung-un, is paramount, which means that the North Korean hackers have nothing to fear in their own country, on the contrary. It is, therefore, to be expected that the rest of the world will not be rid of Lazarus for a long time.

Want to know how best to prevent a Lazarus-style attack?

Read our recommendations in our blog post or watch our Threat Monitor webinar where we shine a light on the Lazarus group.