The Lazarus cyberattack group, known for its cyberespionage operations and illicit financial activities, has intensified its global offensive, now focusing part of its efforts on key organizations in Mexico. With links attributed to the North Korean regime, this collective has perfected the use of advanced techniques to infiltrate corporate networks, steal sensitive information and, in many cases, finance covert state activities.
Their modus operandi reflects a level of sophistication that surpasses most conventional criminal groups. Their most commonly employed methods include targeted phishing, using personalized emails with malicious files; exploiting vulnerabilities in outdated software; and the use of customized malware, such as remote access Trojans or data shredders. In addition, they have even compromised supply chains, using apparently legitimate software updates to distribute malicious code.
Lazarus' most relevant attacks in Mexico: Theft, espionage and chaos
Lazarus does not discriminate when choosing its victims. They have attacked everything from banks and technology companies to government institutions. And while their methods vary, their motivations tend to revolve around three main objectives:
-
Steal money: They've been behind hits on banks and cryptocurrency platforms, using that money to fund activities that aren't exactly legal.
-
Spying: They seek strategic data (military, political or technological) that could be useful for their interests, most likely linked to the North Korean government.
-
Generate chaos: Some of their attacks seem to be aimed at destabilizing or damaging critical infrastructures, making it clear that they are not only looking for profit, but also for impact.
In short, this is not just any group. They mix financial theft, espionage and sabotage, and they do it with a sophistication that makes them a serious threat, especially for countries like Mexico, which has already felt their presence.
One of the most notorious cases occurred in 2018, when they attempted to steal almost $100 million from the Mexican financial system. Although they did not entirely succeed, the threat was real. Investigators from the then Attorney General's Office (today FGR) identified classic Lazarus techniques such as spear-phishing and exploiting flaws in systems connected to the SWIFT network. It's the same approach they used in the theft of 81 million from the Central Bank of Bangladesh in 2016, so clearly they know what they're doing.
But they didn't stop there. In 2022, they went back to the attack, this time exploiting vulnerabilities in Zimbra mail servers (specifically CVE-2022-27925 and CVE-2022-37042) to infiltrate Mexican government agencies. According to reports, they extracted some 120 GB of emails, targeting sensitive areas such as national security and critical infrastructure.
This incident occurred just after the huge leak of 6 terabytes of information from the Secretariat of National Defense (Sedena) by the Guacamaya collective, which, by the way, used the same flaws. All this makes it clear that Lazarus is still on the prowl, looking for unpatched bugs and systems widely used by governments.
Read more: UK Scam in Mexico Now Uses Numbers from Spain and the U.S.
Sectors at risk and how Mexico can protect itself from the Lazarus group
Between 2015 and 2016, Lazarus targeted Mexican banks as part of a large-scale financial campaign. Although it is not known for sure how much they managed to steal or who they directly affected, these attacks were part of a well-armed strategy: use custom-made malware, generate distractions to cover their movements and execute fraudulent transfers that allowed them to leave with their hands full.
The worrying thing is that the group is not only persistent, but incredibly adaptable. Just remember how in 2017 they were behind the WannaCry ransomware, or that just this year they managed to steal $1.5 billion from cryptocurrency platform Bybit. Each attack shows the same thing: they are very interested in financial targets and have no problem playing dirty to finance their operations.
In Mexico, there are several sectors that are especially at risk. On the one hand, there are government agencies (such as Sedena, Gobernación or Hacienda) that handle sensitive information and often work with old or vulnerable systems, such as Zimbra. For Lazarus, these are juicy targets for spying or extracting strategic information.
In the financial world, names like Banxico, Banorte, BBVA Mexico, and even cryptocurrency platforms like Bitso, are under the radar. Why? Because these attacks are not just about greed, but part of a larger effort to fund the North Korean regime. And if we're talking about critical infrastructure, companies like Pemex or the CFE could also be on the list, either to disrupt services or extort with threats of sabotage.
Nor are research and development centers, such as the IPN, or technology startups that are working on innovative solutions, spared. Intellectual property is also a target: it is not just about money, but about power and strategic advantage.
The most common problem that facilitates all these attacks? Lack of updates. Many organizations are still using outdated software, with known flaws that have not been patched, especially in tools like Zimbra. And that, for a group like Lazarus, is an open invitation.
Moreover, their level of sophistication is impressive: from perfectly disguised phishing emails, to destructive malware and supply chain attacks, they know exactly how to get in and cause damage. That's why Mexican organizations need to act now. Some key measures:
-
Update all systems as soon as possible, especially Zimbra or Zoho ManageEngine (such as vulnerability CVE-2022-47966).
-
Train staff to identify suspicious emails or spoofing attempts.
-
Use multi-factor authentication (MFA) on all sensitive access.
-
Segment networks, so that if someone gets in, they cannot move freely.
-
Make offline backups, in case ransomware does its thing.
-
Actively monitor with threat intelligence tools.
And beyond all this, collaboration is key. Government, private companies and cybersecurity experts must work together to share information and strengthen defenses. Lazarus is not just any threat: it is a well-organized, politically motivated group that has put Mexico's financial security, institutional stability and critical infrastructure to the test.
What happened in 2018 and 2022 should not be taken lightly. They are clear signs that cybersecurity needs to be taken seriously. Protecting our systems, upgrading technology and fostering alliances are fundamental steps if we want to be prepared for what is to come. Because one thing is certain: Lazarus is not going to stop.
