While the world was in the midst of the COVID-19 pandemic, North Korean hackers were targeting the US defense and aerospace sectors with fake job offers in the hopes of infecting employees looking for better opportunities and gaining a foothold on their organizations’ networks.
The attacks began in late March and lasted throughout May 2020, cyber-security firm McAfee said in a report published today.
Tracked under the codename of “Operation North Star,” McAfee said these attacks have been linked to infrastructure and TTPs (Techniques, Tactics, and Procedures) previously associated with Hidden Cobra — an umbrella term the US government uses to describe all North Korean state-sponsored hacking groups.
The good ol’ fake job offer trick
As for the attacks themselves, McAfee said they were run-of-the-mill spear-phishing emails that enticed recipients to open boobytrapped documents containing a possible job offer.
Many hacking groups have leveraged this lure in the past, and North Korean hackers also used it before in attacks against the US defense sector in campaigns that took place in 2017 and 2019, Christiaan Beek, Lead Scientist & Senior Principal Engineer, told ZDNet in an email.
In fact, the 2017 attacks were cited in the US indictment against a North Korean hacker believed to have taken part in the attacks, but also in the creation of the WannaCry ransomware.
But the 2020 attacks also had their variations — namely the malware they delivered and the fact that some victims were also approached via social networks, and not necessarily via email.
The entire infection chain, from contact to how the malware operates, is detailed in summary in the graphic below, and in full glorious technical details in the McAfee report.
Questions, however, remain about the efficacy of this campaign. With workforce movement at an all-time low during the coronavirus pandemic, it’s unclear how successful North Korean hackers were by employing a “new job” theme to lure in victims.
Unfortunately, McAfee said it didn’t have access to the email themselves, where these lures were used, and they only managed to recover the boobytrapped documents and the malware payloads.
As a result, McAfee wasn’t able to determine with precision which US defense or aerospace companies were the targets of these attacks and then notify each.
The only things they could determine were the nature of the fake job positions (Senior Design Engineer and System Engineer) and the US defense programs hackers were trying to “recruit” for:
- F-22 Fighter Jet Program
- Defense, Space, and Security (DSS)
- Photovoltaics for space solar cells
- Aeronautics Integrated Fighter Group
- Military aircraft modernization programs
Raj Samani, McAfee Chief Scientist, told ZDNet yesterday that they have reached out to US cyber-security agencies to notify authorities of the past attacks as part of their normal deconfliction procedures whenever they discover campaigns like these ones.
Attacks focused on intelligence gathering
The point of these attacks was also pretty clear, with the North Star campaign being clearly part of North Korea’s cyber-espionage and intelligence-gathering efforts.
With the country under heavy economic sanctions and lacking a self-sustaining military-industrial complex, it can only support its nuclear weapons program and ambitions by importing or stealing the information it needs — which in this case, it was hoping to obtain from US defense and aerospace contractors.
However, another way through which North Korea sustains its nuclear program is by allowing its hackers to engage in mundane cybercrime and launder the money back into the hermit kingdom. In similar news this week, security firm Kaspersky published research on Tuesday linking North Korea’s hackers to a new strain of ransomware named VHD.
Prior to that, the group was also linked to all sorts of cybercrime, such as BEC operations, Magecart attacks, bank cyber-heists, cryptocurrency hacks and scams, ATM cashouts, and crypto-mining botnets.
Despite being a small and walled nation, North Korea has built one of the most powerful and advanced army of hackers to date, and the diversity of its operations proves this point.