The Lazarus Group, also known under the names Whois Team or Guardians of Peace, is a group of cybercriminals made up of an indeterminate number of individuals. They were initially a group of criminals, but due to their intended nature, methods and threat on the web, they've been classified as an Advanced Persistent Threat. The cybersecurity community has them under other names, such as Zinc and HIDDEN COBRA.
The earliest instance of a Lazarus APT attack was 'Operation Troy,' taking place between 2009 and 2012. The campaign focused on a distributed denial-of-service (DDoS) attack that took shots at the South Korean government in Seoul. They were responsible for attacks in 2011 and 2013, possibly also an attack against South Korea in 2007. They were noted to have been involved in the 2014 attack on Sony Pictures, showing a growing sophistication and skill in their methods.
The Lazarus APT was also involved in the theft of $12 million from Banco del Austro in Ecuador and $1 million from the Tien Phong Bank in Vietnam. The group also targeted banks in Mexico and Poland, Bangladesh, and Taiwan.
It is unknown at who stands behind the group, but their choice of targets led the security community to suspect they were likely of North Korean origin. The Lazarus APT focused on spying and infiltration attacks, while a different group within their organization was focusing on financial cyberattacks. A direct, repeated IP address link was made between that part of the organization and North Korea, though some researchers believed that might be a misleading tactic to throw investigations off-course.
The Lazarus APT is believed to have two units within the organization's structure:
That is the financial arm of the group responsible for illegal money transfers, most often through forging orders from Swift. They were also named APT38 and Stardust Chollima by other cybersecurity companies and organizations.
Known for attacks focused on South Korean targets, AndAriel is also dubbed Silent Chollima due to their more secretive and low profile nature, compared to their banking cybercrime counterpart. Organizations within South Korea were often targeted within the history of the Lazarus APT, with defense, government, and economic goals being their primary focus.