Recent investigations by cybersecurity firms have uncovered ongoing use of Astrill VPN by North Korean threat actors to conceal their digital footprints.
The Lazarus Group, a notorious North Korean state-sponsored hacking collective, has been observed leveraging Astrill VPN’s infrastructure to mask their true IP addresses during cyberattacks and fraudulent remote work schemes.
Silent Push, a cybersecurity research firm, recently acquired sensitive infrastructure used by the Lazarus Group, revealing crucial insights into their operations.
The company discovered that the group had registered the domain “bybit-assessment[.]com” shortly before the $1.4 billion ByBit cryptocurrency heist.
This domain was linked to an email address previously associated with Lazarus attacks.
Persistent Use of Astrill VPN for Obfuscation
Analysis of the acquired infrastructure logs exposed 27 unique Astrill VPN IP addresses utilized by Lazarus members during their setup and testing processes.
This finding further solidifies the group’s preference for Astrill VPN as their primary tool for IP obfuscation.
The reliance on Astrill VPN extends beyond the Lazarus Group to other North Korean cyber operations.
Mandiant, a prominent threat intelligence firm, reported in September 2024 that North Korean IT workers posing as legitimate freelancers were primarily using Astrill VPN IP addresses to connect to remote management solutions.
These connections likely originated from China or North Korea.
Sophisticated Infrastructure and Ongoing Threats
Security researchers have mapped out a complex network employed by North Korean actors to route their traffic.
This infrastructure involves Astrill VPN exit points, proxy servers, and command and control (C2) servers.
In one instance, connections were traced from North Korean IP addresses through Astrill VPN endpoints and proxy relays before reaching the final C2 servers.
The persistent use of Astrill VPN by North Korean threat actors poses significant risks to global companies.
These operatives, often posing as legitimate remote workers, can potentially access sensitive corporate data, steal intellectual property, and facilitate large-scale financial fraud.
Individual North Korean IT workers have been reported to earn up to $300,000 annually, with the North Korean government retaining up to 90% of these earnings.
As this threat continues to evolve, cybersecurity firms are developing new detection and mitigation strategies.
Silent Push, for instance, has created a “Bulk Data Feed” of Astrill VPN IPs, updated in real-time, to help organizations protect against potential North Korean cyber threats.
The ongoing cat-and-mouse game between North Korean actors and global cybersecurity efforts underscores the critical need for continued vigilance and advanced threat detection capabilities in the face of these sophisticated adversaries.
