A threat actor thought to be the North Korean advanced persistent threat (APT) group Lazarus has been targeting its southern neighbor for more than a year in an orchestrating spear-phishing campaign, says data from cybersecurity firm Zscaler.

The main attack vector used by the group is thought to have been credential phishing attacks launched against specific victims via bogus emails claiming to be from Naver, a popular search engine and web portal used by around 25 million people – roughly half the population of South Korea.

“ThreatLabz has been closely monitoring a campaign targeting users in South Korea,” said Zscaler, reporting on the findings of its research team. “This threat actor has been active for more than a year and continues to evolve its tactics, techniques, and procedures – we believe with high confidence that the threat actor is associated with Lazarus.”


Moreover, Lazarus is apparently building on last year’s success with Naver, expanding its illicit operation to start spoofing other high-profile legitimate providers in South Korea, including security vendor AhnLab, cryptocurrency exchange Binance, and the Korea Internet Information Center.

ThreatLabz said it managed to turn the tables on Lazarus because it reused core parts of its infrastructure for the differing attacks, which the cybersecurity team traced and attributed to the APT group.

“Our research led us to the discovery of command-and-control domains even before they were used,” it said. “This proactive discovery of attacker infrastructure helps us in preempting the attacks.”

Zscaler also praised Dropbox for its timely collaboration in taking down accounts used by Lazarus in its phishing scams, and sharing threat intelligence that led to the group being identified as the culprit behind the attacks.

Now anyone can go phishing

Further research by Zscaler indicates that the North Korean campaign could be part of a wider trend that has seen phishing attacks of all kinds rise more rapidly than other forms of cybercrime, with a 29% overall increase reported last year.

Zscaler said the rise was partly due to increased availability of “phishing kits” that can be bought off the shelf on dark web forums, contributing to a rising number of cybercriminals keen to cast a line.

“Phishing kits package up pre-built tools to make attacks easier to wage, even by adversaries who lack strong technical skills, and harder to spot for security teams,” it added.

The growth of the problem was not merely quantitative, however: cybercriminals have also become more devious, mimicking major online brands – including Microsoft in nearly a third of cases – to lure victims, and even investing in legitimate advertising services offered by Google to boost the outreach of their scams.

Other popular brands spoofed by phishers included Telegram (6.5% of recorded cases) and Amazon (5.8%), with fears of COVID often exploited too (7.2%).

Some feel the pain more than others

Certain sectors have borne the brunt of the surge, with retail and wholesale industries suffering a staggering 436% annual increase in phishing attacks directed at them in 2021. Interestingly, during the same period, the healthcare and services sector experienced a considerable respite from such scams, which fell by 59% and 33% respectively.

The US remains the top targeted country, with six in ten attacks directed there last year, followed by Singapore in second place and Germany third. However, other countries are catching up: attacks on Americans rose just 7%, a slower rate of growth than elsewhere.

The increased drive towards social-engineering campaigns – which seek to dupe a victim into revealing vital information about themselves or parting with their money of their own free will – is thought to be caused by cyber defenses improving, discouraging crooks from resorting to brute-force hacking attacks.

“Organizations have been improving their threat prevention capabilities, leading attackers to use more sophisticated methods,” said Zscaler. “Phishing provides adversaries with legitimate login credentials, allowing them to subvert security controls and compromise systems.”

“Avoiding the latest breed of phishing attacks requires heightened awareness from users, additional context, and a zero-trust approach,” it added.


More from Cybernews:

North Korea’s ‘all-star squad’ threat actor

The notorious Lazarus group is attacking the world, an expert told CyberNews

Angry tweeters ditch Musk for Mastodon

The summoning of Ukraine’s IT army let the genie out of the bottle – interview

Russia correlates cyberattacks with its kinetic military operations in Ukraine – Microsoft

Subscribe to our newsletter