BlueNoroff is a highly sophisticated North Korean state-sponsored cyber threat group, widely recognized as a financially motivated subunit of the larger Lazarus Group. Emerging in the early 2010s, BlueNoroff specializes in targeting financial institutions, cryptocurrency exchanges, venture capital firms, fintech companies, and ATMs across the globe, including in Europe, Asia, the United States, and the United Arab Emirates.
Origins and Structure
BlueNoroff is believed to have been formed by the North Korean government as a direct response to increased global sanctions, with the explicit goal of generating illicit revenue to support the regime’s priorities, including its nuclear weapons and ballistic missile programs. The group operates as a sub-cluster within the Lazarus Group (also known as APT38, TA444, and other aliases), leveraging Lazarus’s resources, malware, and infrastructure for its operations. First identified by cybersecurity firms around 2014, BlueNoroff’s activity marked a shift in North Korean cyber operations from espionage to overt financial theft.
Tactics, Techniques, and Targets
BlueNoroff is notorious for its advanced social engineering, phishing campaigns, and the deployment of malware tailored for both Windows and macOS systems. The group has demonstrated expertise in reverse engineering financial software, exploiting vulnerabilities in systems like SWIFT, and crafting multi-stage infection chains to infiltrate targets.
Recent campaigns have included the use of deepfake video calls and fake job offers to deceive employees at cryptocurrency and Web3 firms, ultimately tricking them into installing malware. The group often creates fake venture capital or crypto-related companies to build trust with targets before launching attacks.
Notable Attacks and Impact
BlueNoroff was responsible for the infamous 2016 Bangladesh Central Bank heist, where approximately $80 million was stolen through fraudulent SWIFT transactions. By 2018, the group had attempted to steal over $1.1 billion from financial institutions worldwide, with successful attacks in countries such as Bangladesh, India, Mexico, Pakistan, the Philippines, South Korea, Taiwan, Turkey, Chile, and Vietnam. The group’s operations have shifted in recent years to focus heavily on cryptocurrency theft, exploiting the rapid growth and sometimes lax security of crypto startups and exchanges.