The federal intelligence service of Germany ( BfV ) and the National Intelligence Service of South Korea ( NIS ) issued a warning today regarding an ongoing cyber-espionage campaign on behalf of the North Korean government that is aimed at the world’s defense industry.
The attacks seek to modernize conventional weapons and create new military capabilities while also stealing information about cutting-edge military technology from North Korea and the NBSp.
Two cases attributed to North Korean actors are highlighted in today’s joint cybersecurity advisory , which is also available in Korean and German. One of these cases is referred to as the Lazarus & NbSp group and provides information on the attackers ‘ tactics, techniques, and procedures ( TTPs ).
attack on the supply chain
The first case, according to the advisory, is about an incident that happened at the end of 2022 when” a North Korean cyber actor ” intruded systems of a research center for maritime and shipping technologies” and “executed supply-chain attack” by compromising and/or the company that managed the target organization’s web server maintenance operations.”
The intruder moved laterally along the network, attempted to hide on the infrastructure, stole , SSH credentials, and misused/nothing, among other legitimate tools.
The following attack steps are specifically listed in the advisory:
- stole SSH credentials, gained access to the Linux webserver at the research center, and broke into the web server maintenance company.
- malicious files were downloaded using legitimate tools like curl that were obtained from command and control ( C2 ) servers ( tunneling tool, Base64 Python script ).
- Conducted lateral movement includes stealing employee account credentials, using tcpdump to collect packets, and setting up SSH to other servers.
- attempted to use PMS to distribute a malicious patch file while posing as the security manager using stolen account information, but the real manager blocked them.
- continued to use the website’s file-up vulnerability to upload a web shell and send emails that were spear-phishing.
The North Korean threat actor was able to infiltrate a company that upholds good security posture by first compromising the IT services provider. He then used their relationship to launch covert attacks in small, deliberate steps.
The bulletin recommends a number of security measures against these attacks, such as restricting IT service providers ‘ access to remote maintenance systems, using multi-factor authentication ( MFA ) on all accounts, and enforcing stringent patch management system ( PMS ) user authentication policies.
engineering social
The second illustration demonstrates how the defense industry was also targeted by the Lazarus group’s” Operation Dream Job,” a strategy that North Korean actors are known to employ against software developers and employees of cryptocurrencies.
In September 2023, Lazarus targeted an employee of a Spanish aerospace company to infect systems with the” LightlessCan” backdoor, according to an incident that was highlighted by ESET.
In order to network with the appropriate individuals for the campaign’s social engineering objectives, Lazarus creates an account on an online job portal using fictitious or stolen personal data of an existing person. This case is highlighted in the security bulletin.
The threat actor then approaches representatives of defense organizations using that account and establishes a conversation with them in English over the course of several days, weeks, or even months.
The threat actor offers the victim a job after winning their trust and suggests an external communication channel where it can share an infected PDF file that contains information about the offer.
Lazarus typically uses this file as a first-stage launcher to infect the target’s computer before using it to gain access to the corporate network.
Lazarus occasionally sends a ZIP file containing an infected VPN client, which they use to gain access to the network of the victim’s employer.
These strategies are well-known, but they can still be effective if businesses do n’t inform staff about the most recent cyberattack trends.
A good security posture should begin with the tenet of least privilege and restricting , which states that employees should only have access to the systems they require.
The security posture should be improved by strengthening the patch management system’s authentication mechanisms and procedures and keeping audit logs with user access.
The two organizations advise staff members to learn common strategies for social engineering attacks.