North Korean state-upheld hackers appear to cooperate with Eastern European cybercriminals, a report https://labs.sentinelone.com/the-fatal planeswalker-how-the-trickbot-bunch joined cutting edge crimeware-able said on Wednesday, a finding that suggests advanced gangsters and state-sponsored spies are discovering common ground on the web.
Mountain View, California-based SentinelOne says that the Lazarus Group - which American prosecutors accuse of sorting out the hole of emails from Sony Pictures and stealing millions of dollars from the Central Bank of Bangladesh - is gaining admittance to some of its victims through a cybercrime posse named "TrickBot."
"For me it's the biggest crimeware story since I don't-know-when," said Vitali Kremez of SentinelOne. "The Lazarus bunch has a relationship with the most sophisticated, most resourceful Russian botnet activity on the landscape."
Hints that Lazarus and TrickBot operators are cooperating had surfaced previously. In April, a BAE researcher said https://www.wired.com/story/atm-hacks-swift-arrange she and others were gauging the hypothesis that the cybercriminals were selling access to compromised organizations to Lazarus, a bit like a fence selling stolen doorkeys to a criminal.
In July, the cybersecurity arm of Japanese telecommunications company NTT speculated https://technical.nttsecurity.com/post/102fnog/directed trickbot-movement drops-powerbrace-secondary passage that North Korea may be collaborating with Lazarus and TrickBot's operators.
Kremez said he discovered proof. TrickBot communicated with a Lazarus-controlled server just a couple of hours before that same server was used to help break into the Chilean interbank organize not long ago, he said. American officials have also accused the multimillion dollar heist for North Korea.
"That is the strongest possible proof connecting to a praised case of Lazarus intrusion," said Kremez.
Kremez said that the TrickBot operators were likely leasing its services toward the North Koreans, or perhaps chipping away at a commission basis.
The judgment was seconded by Assaf Dahan of Boston-based Cybereason, which is publishing its own, separate report https://www.cybereason.com/blog/mooring from-a-trickbot-contamination to-the-discovery-of-the-grapple malware on Trickbot's operations Wednesday. He inspected SentinelOne's research and said its conclusions were dependable, including that he was sure that the cybercriminals realized that they were managing the North Korean government.
"Regardless of whether they give it a second thought or not is an alternate thing," he said.