North Korea (Lazarus Group): A new campaign which is believed to be tied to Lazarus Group was uncovered which was targeting Russian organizations. The campaign utilized malicious office documents to infect Russian organizations, specifically those with U.S. interests, with an updated version of the Keymarble backdoor. The researchers who discovered the campaign tied it to Lazarus group based on the use of Keymarble and “other techniques used in other Lazarus Group attacks.” This is an extremely odd turn of events considering Russia has been one of North Korea’s few supporting allies in the region. After China kicked out North Korean businesses and organizations, they also severely restricted North Korea’s access to the internet. Following this change in relations with China, Russia chose to move in and allow North Korea internet access through Russia. It is highly suspect for North Korea to have targeted Russian entities in light of their relationship. If this actually was the work of Lazarus Group, it could significantly impact the status of Russian and North Korean relations.
It is possible that this was either a false flag operation focused at souring relations between North Korea and Russia, or that it is the work of cyber-criminals who acquired access to the Keymarble malware.