North Korean hackers are probably working with Russian-speaking cybercriminals on ransomware and other malicious software, researchers said Wednesday.
Security firm Intel 471 said in a report it found links between North Korean hacker group Lazarus, known for attacks on banks worldwide, and a Russian-operated malware operation called TrickBot.
TrickBot is described in the report as a "malware-as-a-service offering, run by Russian-speaking cybercriminals, that is not openly advertised on any open or invite-only cybercriminal forum or marketplace."
It works with "top-tier cybercriminals with a proven reputation," the report said.
The Intel 471 report said other security researchers have pointed to possible links between the groups, but that its investigation found more evidence, including signs that malware developed in North Korea was offered for sale on Russian marketplaces.
"Our conclusion is that we deem it likely that threat actors running or having access to TrickBot infections are in contact with DPRK (North Korean) threat actors," the report said.
"DPRK threat actors likely are active in the cybercriminal underground and maintain trusted relationships with top-tier Russian-speaking cybercriminals."
It added that "malware believed to be only used and probably written by DPRK threat actors was very likely delivered via network accesses held by Russian-speaking cybercriminals."