← Home·Gallery·Techniques
Threat Intelligence Tarot
Major Arcana · 8
North Korea (Reconnaissance General Bureau)
G0032
risk 5/5
The Specter
Lazarus Group
Hidden Cobra · Zinc · Guardians of Peace · APT38 (financial ops)
Financial institutionsCryptocurrency exchangesDefenseMedia
Active since ~2009 · Sanctions evasion, Financial theft, Espionage, Retaliation
A ghost that needs money. It haunts financial networks and cryptocurrency protocols, not for intelligence, but for the hard currency a sanctioned nation cannot otherwise earn. It has stolen billions. It will steal billions more.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1566.001
Spearphishing Attachment
Initial Access
T1486
Data Encrypted for Impact
Impact
T1204.002
Malicious File
Execution
T1059.001
PowerShell
Execution
T1105
Ingress Tool Transfer
Command and Control
T1134
Access Token Manipulation
Privilege Escalation
T1068
Exploitation for Privilege Escalation
Privilege Escalation
Notable Operations
  • Sony Pictures hack (2014)
  • WannaCry ransomware (2017)
  • Bangladesh Bank SWIFT heist ($81M, 2016)
  • $625M Ronin Network crypto theft (2022)
Defenses
  • SWIFT Customer Security Programme controls for financial institutions
    SWIFT CSP
  • Cryptocurrency transaction monitoring and wallet screening
    FinCEN guidance
  • Email attachment sandboxing and macro blocking
    CIS Control 9
  • Network segmentation isolating SWIFT / payment systems
    CIS Control 12
Reversed: Their Weakness
WannaCry's killswitch - a single unregistered domain that a British researcher registered for 8 pounds - halted one of history's most damaging cyberattacks. Lazarus Group's urgency became its undoing.

Share this adversary profile

swipe to browse

← PreviousThe Silent DragonNext →The Alchemist
Related Adversaries
The Flame Keeper
APT33
5 shared TTPs
The Merchant
FIN7
5 shared TTPs
The Broker
TA505
5 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.