In the Updated Post Mortem blog posted yesterday we explained that an independent security firm analyzed the spear phishing trojan which was used to execute the November 5th attack on bZx. The security firm believes to have identified the group they believe in their expert opinion to be responsible for the attack. After obtaining permission from the security firm to release their conclusion a portion of their findings are included below:
The security firm conducting the investigation is named Kaspersky. Kaspersky is a multinational cybersecurity and anti-virus provider. On November 6, 2021 a member of Kaspersky’s security team contacted bZx and offered to investigate the spear phishing email that was sent by the hacker to the bZx developer. Kaspersky proceeded to collect relevant information and evaluate the email. Following an analysis of the contents of the email and attachments they reported the following findings:
Kaspersky believes that the attack was executed by the Lazarus/Bluenoroff Advanced Persistent Group, a group with a long a history of attacking financial institutions and cryptocurrency exchanges. The Lazarus Group has strong links to North Korea and is known as a state-sponsored hacking organization. Kaspersky has investigated a number of attacks performed by Lazarus in 2017, 2019, and 2020. Kaspersky reached the conclusion that the November 5th bZx attack was likely conducted by the Lazarus group based on their analysis of the phishing email, and it’s similarity to other tools used by the Lazarus Group. In addition to the analysis of the email, and the email attachment, Kaspersky concluded that the signature of the attack aligns with previous attacks that were also conducted by the Lazarus group.
Based on the findings explained above the Lazarus Group was likely the organization that conducted the attack on bZx on November 5th.
