North Korean hackers are expanding their efforts to break into U.S. defense and aerospace companies in a series of attacks dubbed “Operation North Star.”
Detailed Wednesday by researchers at McAfee Advanced Threat Research, the operation involves the use of a series of malicious documents containing job postings taken from leading defense contractors.
The documents, which typically contain job descriptions for engineering and project management positions for active defense contracts, are targeted to employees who may be interested in job opportunities. Once the document is opened, malicious code designed to gather data is installed in the background.
“The individuals receiving these documents in a targeted spear-phishing campaign were likely to have an interest in the content within these lure documents, as we have observed in previous campaigns, as well as some knowledge or relationship to the defense industry,” the researchers said.
The methodology isn’t new and similar campaigns have been seen in the past, but the researchers note that the implants and lure documents in this campaign are distinctly different, causing them to conclude that it is a distinct campaign in its own right.
Those behind the attack are using compromised services in Europe, with the domain mireene.com a common denominator in many. The domain name is linked to Hidden Cobra, a name given to various suspected North Korea hacking groups by the U.S. Intelligence Community but most commonly tied to the Lazarus Group.
Brandon Hoffman, chief information security officer and head of security strategy at cybersecurity form Netenrich Inc., told SiliconANGLE that Operation North Star has several interesting characteristics.
“While reviewing the tactics, techniques and procedures there is no doubt that it is a sophisticated and highly targeted campaign,” he said. “Breaking down the campaign to its simplest terms, the campaign used phishing techniques, word documents, DLLs and libraries for persistence and is still reliant on command-and-control for objective completion.”
Tom Pendergast, chief learning officer at cybersecurity and privacy education firm MediaPRO Holdings LLC noted that too often the point of entry for an attack is an employee. “That’s why social engineering attacks — especially spear-phishing attacks aimed at a particular kind of person — are so often capable of wreaking havoc within a compan,” he said. “Users at defense and aerospace companies must be especially skeptical of any contact — sadly, even to the point of paranoia — and have to take steps to verify the legitimacy of contacts.”
Photo: The Kremlin
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.