{ "type": "bundle", "id": "bundle--95f75d2e-8cbf-460b-a3a2-efbf99ef2f7e", "spec_version": "2.0", "objects": [ { "modified": "2023-03-30T19:01:41.451Z", "name": "Lazarus Group", "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: Treasury North Korean Cyber Groups September 2019) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by [Lazarus Group](https://attack.mitre.org/groups/G0032) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. (Citation: Novetta Blockbuster)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups, such as [Andariel](https://attack.mitre.org/groups/G0138), [APT37](https://attack.mitre.org/groups/G0067), [APT38](https://attack.mitre.org/groups/G0082), and [Kimsuky](https://attack.mitre.org/groups/G0094). ", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "ZINC", "NICKEL ACADEMY" ], "x_mitre_deprecated": false, "x_mitre_version": "3.2", "x_mitre_contributors": [ "Kyaw Pyiyt Htet, @KyawPyiytHtet", "Dragos Threat Intelligence" ], "type": "intrusion-set", "id": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "created": "2017-05-31T21:32:03.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0032", "external_id": "G0032" }, { "source_name": "Labyrinth Chollima", "description": "(Citation: CrowdStrike Labyrinth Chollima Feb 2022)" }, { "source_name": "ZINC", "description": "(Citation: Microsoft ZINC disruption Dec 2017)" }, { "source_name": "Lazarus Group", "description": "(Citation: Novetta Blockbuster)" }, { "source_name": "NICKEL ACADEMY", "description": "(Citation: Secureworks NICKEL ACADEMY Dec 2017)" }, { "source_name": "Guardians of Peace", "description": "(Citation: US-CERT HIDDEN COBRA June 2017)" }, { "source_name": "CrowdStrike Labyrinth Chollima Feb 2022", "description": "CrowdStrike. (2022, February 1). CrowdStrike Adversary Labyrinth Chollima. Retrieved February 1, 2022.", "url": "https://web.archive.org/web/20210723190317/https://adversary.crowdstrike.com/en-US/adversary/labyrinth-chollima/" }, { "source_name": "Novetta Blockbuster", "description": "Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.", "url": "https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" }, { "source_name": "Secureworks NICKEL ACADEMY Dec 2017", "description": "Secureworks. (2017, December 15). Media Alert - Secureworks Discovers North Korean Cyber Threat Group, Lazarus, Spearphishing Financial Executives of Cryptocurrency Companies. Retrieved December 27, 2017.", "url": "https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing" }, { "source_name": "Microsoft ZINC disruption Dec 2017", "description": "Smith, B. (2017, December 19). Microsoft and Facebook disrupt ZINC malware attack to protect customers and the internet from ongoing cyberthreats. Retrieved December 20, 2017.", "url": "https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/" }, { "source_name": "HIDDEN COBRA", "description": "The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: US-CERT HOPLIGHT Apr 2019)" }, { "source_name": "Treasury North Korean Cyber Groups September 2019", "description": "US Treasury . (2019, September 13). Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups. Retrieved September 29, 2021.", "url": "https://home.treasury.gov/news/press-releases/sm774" }, { "source_name": "US-CERT HIDDEN COBRA June 2017", "description": "US-CERT. (2017, June 13). Alert (TA17-164A) HIDDEN COBRA \u2013 North Korea\u2019s DDoS Botnet Infrastructure. Retrieved July 13, 2017.", "url": "https://www.us-cert.gov/ncas/alerts/TA17-164A" }, { "source_name": "US-CERT HOPLIGHT Apr 2019", "description": "US-CERT. (2019, April 10). MAR-10135536-8 \u2013 North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.", "url": "https://www.us-cert.gov/ncas/analysis-reports/AR19-100A" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] }