Both Germany’s and South Korea’s intelligence agencies are warning of an ongoing cyber-espionage operation targeting the global defense sector by the North Korean government. Its goal is to steal advanced military technology information so that North Korea can modernize conventional weapons and develop new military capabilities.
One North Korean entity, the Lazarus group, is said to provide the tactics, techniques, and procedures (TTPs) used by the attackers.
According to the advisory, there was an incident at the end of 2022. A North Korean cyber actor intruded into the systems of a research center for maritime and shipping technologies, executing a supply-chain attack by compromising the firm that managed the target organization’s web server maintenance. They stole SSH credentials, abused legitimate tools, and moved laterally on the network, trying to remain hidden on the infrastructure.
Compromising the IT services provider, they were able to infiltrate an organization that maintains a good security posture, taking advantage of the relationship between the two to carry out covert attacks in small, careful steps.
Another example shows that Lazarus group’s “Operation Dream Job,” a tactic the North Korean actors are known to use against employees of cryptocurrency firms and software developers, was used against the defense sector. In 2023, Lazarus targeted an employee of an aerospace company in Spain to infect systems with the ‘LightlessCan’ backdoor.
Lazarus creates an account on an online job portal using fake or stolen personal data and curates it over time, networking with the right people for the social engineering goals of the campaign. Then, they use that account to approach people working for defense organizations and reach out to them, starting a conversation in English and building a connection over multiple days, weeks, or even months.
After gaining the victim’s trust, the threat actor offers them a job, suggesting they use an external communication channel to share a malicious PDF file they described as a document with details about the offer. In some cases, Lazarus sends a ZIP file that contains a malicious VPN client, which they use to access the victim’s employer network.
These tactics will be successful unless organizations educate their employees about the latest cyberattack trends. Adding strong authentication mechanisms and procedures for the patch management system and maintaining audit logs that include user access should improve security.
