UK Cybersecurity Firm Says North Korean Attacks on Israel Successful
Since the beginning of 2020, the North Korea-linked threat group known as Lazarus has successfully compromised dozens of organizations in Israel and other countries by targeting their employees with appealing job offers, UK-based cybersecurity firm ClearSky reported this week.
Also referred to as Hidden Cobra, Lazarus is a cyber-espionage threat actor that also engages in financially-motivated attacks, including campaigns on crypto-currency exchanges, the WannaCry outbreak in 2017, the Sony Pictures Entertainment incident, and the $81 million Bangladesh bank theft.
The hacking group is known for the use of a variety of malware, including the recently detailed MATA framework and a significant number of Mac malware families. Over the past couple of years, the U.S. Cyber Command (USCYBERCOM) has shared various malware samples associated with the group.
Earlier this week, the Israeli defense ministry claimed to have successfully prevented a Lazarus attack targeting the country’s defense manufacturers, but ClearSky says that the attackers were in fact successful in their attempts.
“This campaign has been active since the beginning of the year and it succeeded, in our assessment, to infect several dozens of companies and organizations in Israel and globally. Its main targets include defense, governmental companies, and specific employees of those companies,” ClearSky says.
The company, which identified North Korean activity in Israel last year as well, explains that the attackers leveraged social engineering in the new attacks, which it collectively refers to as operation “Dream Job.”
The reason for this name is that the attackers used carefully created fake LinkedIn accounts to contact potential victims and lure them with the promise of lucrative job offerings, on behalf of prominent defense and aerospace entities in the United States, such as BAE, Boeing, and McDonnell Douglas.
The attackers spent weeks or even months gaining the victim’s trust by conducting conversations via personal emails, instant messaging applications, and even through voice calls on the phone or over WhatsApp.
Once the goal had been achieved, the victim, an employee at the targeted organization, would be tricked into opening a malicious attachment within the enterprise environment, thus providing the hackers with a foothold within the company. At this point, all communication with the victim would cease and the fake social platform accounts would be deleted.
A successful infection allowed attackers to collect information on the company’s activity, as well as on its financial affairs, likely in preparation for future attacks aimed at stealing money from the victim organizations.
“We assess this to be this year’s main offensive campaign by the Lazarus group, and it embodies the sum of the group’s accumulative knowledge on infiltration to companies and organizations around the globe. In our estimation, the group operates dozens of researchers and intelligence personnel to maintain the campaign globally,” ClearSky notes.