Germany's federal intelligence agency (BfV) and South Korea's National Intelligence Service (NIS) issued a joint cybersecurity advisory highlighting sophisticated tactics used by North Korean actors, namely Lazarus, in their cyber-espionage campaigns targeting the global defense sector.
The primary objective of these attacks is the theft of advanced military technology information to bolster North Korea's military capabilities.
The advisory details two cases attributed to the North Korean hackers.
The first case involves a malicious campaign directed at a defense research center, while the second case outlines Lazarus' utilization of social engineering tactics to target defense companies.
In the first incident, occurring at the end of 2022, a North Korean cyber actor executed a supply-chain attack against a research center specializing in maritime and shipping technologies. The hackers infiltrated a supplier responsible for maintaining one of the research center's web servers, subsequently compromising the primary target. Leveraging the patch management system (PMS) of the research center, the cyber actor deployed a remote access trojan to gain access to sensitive information, including account credentials and email contents.
Although the research center had strengthened its security, the threat actor persisted in malicious activities, exploiting vulnerabilities such as a file-upload vulnerability on the website and resorting to spear-phishing tactics.
The advisory also details Lazarus' utilization of social engineering techniques, including the creation of fictitious profiles on online job portals to establish credibility within the defense sector. By meticulously crafting profiles resembling those of legitimate headhunters, the actors seek out employees with access to valuable assets within targeted companies.
Once a suitable target is identified, the actor initiates contact through the job portal's messaging service, engaging in prolonged conversations aimed at building trust. The targeted employee may be enticed with lucrative job offers.
The advisory notes that the threat actor has evolved different approaches to bypass security measures of the target’s employing company. These include the use of a tailored PDF file and PDF reader containing malware, a series of links leading to a cloud-based service storing the first-stage malware, and a malicious VPN file contained in a ZIP file.
“More recently the job offers have been directed to programmers where the actor sends zip files containing an iso image with a coding challenge which has to be solved as part of the recruitment process. As soon as the programmer executes the challenge, the machine gets infected with the first stage malware,” the two agencies wrote.