Przejdź do treści

APT Profile – Lazarus Group

The APT with countless lives

About Lazarus Group

It is important to emphasise that there is little consolidated, broadly-recognised knowledge about the Lazarus Group and its specific political affiliations within the North Korean state apparatus compared to the knowledge of other nation-state APTs. The name usually acts as an umbrella term for a wider subset of North-Korean cyber activities and responsible sub-groups, which makes the attribution of specific operations often difficult (see section “Attribution Ambiguities” below). The threat intelligence community, academics, and state authorities have no common understanding of a clearly-defined hierarchy or the organisation of North Korean cyber units and their respective APT designations so far. The present profile therefore seeks to differentiate the more general aspects that can be perceived as a given common denominator from more specific details that are still contested by varying actors analysing the regime’s cyber posture.

In general, the Lazarus Group refers to a large subset of state-sponsored cyber activities of the Democratic People’s Republic of Korea (DPRK), operating as an integral wing of North Korea’s central foreign intelligence agency, the Reconnaissance General Bureau (RGB) that comprises six different bureaus. It is a widely-accepted understanding that North Korean cyber activity of any kind is most likely directed or controlled by the RGB. Within the RGB, most sources, including academic analyses and threat intelligence reports, such as one from Mandiant in 2023, associate the Lazarus group with the RGB Lab 110. Mandiant represents Lab 110 as an expanded/reorganised version of the better-known Bureau 121, often referred to as North Korea’s primary hacking unit. Older sources, such as an academic chapter by South Korean researchers from 2019, consider Lab 110 to be subordinate to Bureau 121. 

Associated APT designations

Country of origin

Period of activity

2009 – today

More APT profiles

  • Research and Analysis
APT Profile – UNC1151

25 maja, 2023
Technical and contextual characteristics of the UNC1151 group are analysed in this APT Profile from the EuRepoC team
APT Profile – APT29

23 lutego, 2023
Technical and contextual characteristics of the APT29 group are analysed in this APT Profile from the EuRepoC team.
Load More

End of Content.

Welcome to our Cyber Incident Dashboard!

For best results, please view on a desktop device.