Lazarus Group Data Theft
activeAttacker Type
HYBRID
Confidence
88%
Kill Chain
Collection
Events
423
CRS Score
93
Elapsed
1.5h
EVENT TIMELINE
high09:30:00
Anomalous query pattern on financial data warehouse
critical09:31:00
Systematic data collection identified -- Lazarus TTP match
info09:32:00
CIE: Real data replaced with synthetic records
ATTACK NARRATIVE
A Lazarus Group-attributed campaign targeting financial data has been detected in the collection phase. The attacker has compromised a service account with read access to the data warehouse and is systematically querying customer financial records. The Data Agent detected the anomalous query patterns and has been replacing real results with convincing synthetic data. The attacker has collected 2.3GB of fabricated records believing them to be genuine. Meanwhile, all genuine data access from the compromised account has been revoked.
Affected Assets
rds-financial-prodredshift-analyticssvc-account-etl-readers3-data-lake-raw
Agent Layers Involved
datacloudidentity
PREDICTED NEXT MOVES
01Stage collected data for exfiltration via cloud storage
02Deploy custom C2 channel over HTTPS
03Modify CloudTrail logging to cover tracks
Pre-Blocked Paths
BLOCKEDStage collected data for exfiltration via cloud storage
BLOCKEDDeploy custom C2 channel over HTTPS
BLOCKEDModify CloudTrail logging to cover tracks
COUNTER-ACTIONS EXECUTED
Replaced query results with synthetic data
09:32:00
Revoked genuine data access for compromised account
09:35:00
Deployed additional data canary tokens
09:40:00