North Korean hacking group targets defense contractors

A North Korean hacking group appears to be targeting U.S. defense contractors in a new malware campaign using infected documents containing fake job listings.

The Lazarus Group, a sophisticated hacking group tied to North Korea’s principal intelligence agency, has been sending malicious documents with fake job opportunities to aerospace and defense contractor Lockheed Martin, according to Malwarebytes Labs , a cybersecurity research firm.

The Lazarus Group, active since 2009, is blamed for the 2014 attack on Sony Pictures , the 2017 WannaCry ransomware campaign , and a handful of other high-profile cyberattacks.

Lazarus is an advanced and sophisticated hacking team “known to target the defense industry,” Malwarebytes researchers wrote. “The group keeps updating its toolset to evade security mechanisms.”

The Lazarus campaign, identified by Malwarebytes in mid-January, appears to be targeting specific companies using an attack method called spear-phishing , the cybersecurity firm said. The attack compromises the Windows Update process to evade antivirus protection, and it used an account on the GitHub software development platform to control the malware, the cybersecurity firm said.

It’s unclear what the hackers were looking for in the targeted systems. Some cybersecurity experts suggest the motive could be espionage, while others believe the goal could be to steal credit card numbers and other personal information.

The group may be gathering information about people working at defense contractors, said Allan Buxton, director of forensics at Secure Data Recovery Services .

“Lazarus has its hands in a lot of different attacks, either attempting to profit from information gained or stealing funds directly,” he told the Washington Examiner. “Targeting Lockheed reads more as an attempt either to gain information about an adversary or to discredit them and remove them from the opposition’s use.”

The attacks were likely looking for targets who had security clearances from Western governments, added Greg Otto, a researcher at cybercrime intelligence provider Intel 471 . “From there, they could possibly siphon sensitive information or discover credentials that would allow them to move further into sensitive computer networks,” he told the Washington Examiner.

Targeted phishing campaigns can be very effective, given that they target people with email pitches tailored to their interests, some cybersecurity experts said. These spear-phishing attacks often appeal to the egos of the victims.

“A good deal of social engineering goes into a spear-phishing attack. If an attacker can convince the target that the message is legitimate, the attack is more likely to be successful,” Otto said. “Given how easy it is to make messages seem legitimate, spear-phishing messages do have a higher rate of success than bulk phishing attempts.”

But spear-phishing attacks can also be thwarted with employee training, noted Buxton. Training should include “teaching all staff to be suspicious of any unsolicited or unexpected communications, and giving them a means to validate any that they receive,” he said.

An example of spear-phishing would be a finance department employee getting an email supposedly from the company’s CEO authorizing a wire transfer. “Having a process in place to verify that request, independent from merely replying to the unsolicited email, effectively stops the fraud before it starts,” he said.

Spear phishing is an “incredibly effective” method of attack, added Richard Ford, CTO of Praetorian , a security testing and consulting firm. “Phishing is one of the simplest initial entry points from an attacker,” he told the Washington Examiner. “Often, it’s all you need to execute a catastrophic breach.”

Ford recommended companies take a “layered” approach to defend against spear-phishing, including employee training, email filters, browser isolation, and multifactor authentication.

“While end-user training is important, it’s unfortunately not enough,” he said. “Users tend to be very task-centric, and so a skilled attacker can usually get through. It’s necessary but not sufficient.”

Published in Restoring America by The Washington Examiner by Grant Gross on February 3, 2022.