Operation SyncHole: Lazarus APT Targets Supply Chains in South Korea
The North Korea-linked Lazarus Group has launched a sophisticated cyber espionage campaign, dubbed Operation SyncHole, targeting at least six firms in South Korea. The campaign, which has been active since November 2024, utilizes watering hole tactics and exploits software vulnerabilities to gain access to the targeted organizations' systems.
The Targeted Organizations
Targeted organizations in South Korea include those from IT, finance, semiconductors, and telecom sectors. With likely more compromised organizations still under attack, the Lazarus Group's tactics indicate a coordinated effort to infiltrate critical infrastructure.
Kaspersky researchers discovered that the threat actor exploited a one-day vulnerability in Innorix Agent for lateral movement. The attackers used multiple hacking tools and malware, including ThreatNeedle, Agamemnon downloader, wAgent, SIGNBT, and COPPERHEDGE, to achieve their objectives.
The Malware and Hacking Tools
During the first phase of Operation SyncHole, the Lazarus Group used updated versions of ThreatNeedle, wAgent, and Agamemnon malware. ThreatNeedle was split into Loader and Core components, utilizing advanced encryption (ChaCha20 with Curve25519) and system persistence techniques.
wAgent included AES-128-CBC decryption and leveraged RSA via the GMP library. Agamemnon facilitated payload delivery using novel methods like Tartarus-TpAllocInject.
The Shift to Modular, Stealthy, and Locally Tailored Malware
In the second phase of Operation SyncHole, the Lazarus Group introduced SIGNBT and COPPERHEDGE. SIGNBT 1.2 focused on payload delivery with encrypted C2 communication, while COPPERHEDGE was used for internal reconnaissance.
This operation showcases the Lazarus group's shift to modular, stealthy, and locally tailored malware, indicating a continued effort to evade detection and minimize the risk of exposure.
Consequences and Future Expectations
The Lazarus Group's specialized attacks targeting supply chains in South Korea are expected to continue in the future. Many software development vendors in Korea have already been attacked, and if the source code of a product has been compromised, other zero-day vulnerabilities may continue to be discovered.
According to Kaspersky researchers, "The attackers are also making efforts to minimize detection by developing new malware or enhancing existing malware. In particular, they introduce enhancements to the communication with the C2, command structure, and the way they send and receive data."
Indicators of Compromise (IoCs) for Operation SyncHole
A list of Indicators of Compromise (IoCs) has been provided by Kaspersky researchers as part of this campaign. These IoCs include software vulnerabilities, hacking tools, malware, and other relevant information that can help organizations detect and respond to future attacks.