In the middle of his pandemic COVID-19, North Korean hackers target US defense and aerospace sectors, using fake job offers as bait to infect employees looking for better job prospects and access in the networks of their organizations. The attacks began in late March and lasted until May 2020, according to cybersecurity company McAfee. McAfee reported that attacks known as "Operation North Star", are connected to infrastructure and TTPs (Techniques, Tactics and Procedures) previously associated with the Hidden Cobra - a term used by the US Government to describe organized hacking groups funded by North Korea.
In addition, the company noted that the attacks used spear-phishing to attract target recipients by motivating them to open documents that are supposed to contain a job offer. Many hacking groups have used the job offer as bait in the past, with North Korean hackers using it in attacks on the US defense sector in 2017 and 2019, said Christiaan Beek, chief scientist. and Senior Principal Engineer.
The 2017 attacks concerned US allegations against a North Korean hacker believed to have been involved in the attacks, as well as the creation of WannaCry ransomware. The 2020 attacks also benefited malware, while approaching some victims and through not only through e-mail but also through SOCIAL MEDIA.
The entire chain of attacks - from the contact to how the malware works - is described in detail in the chart below and with full technical details from McAfee.
However, the effectiveness of this campaign is not yet known. As the pandemic has affected workers, it is unclear how successful North Korean hackers have been in using a "new job" theme to lure victims. McAfee said it could not determine exactly which U.S. defense or aerospace companies were the target of the attacks to alert them. The only things he could identify were the nature of the fake jobs (Senior Design Engineer and System Engineer) and the US defense sectors targeted by the hackers:
- F-22 Fighter Jet Program
- Defense, Space and Security (DSS)
- Photovoltaics for space solar cells
- Aeronautics Integrated Fighter Group
- Military aircraft modernization programs
Raj Samani, chief scientist at McAfee, told ZDNet that the company had turned to US services cyber security to inform the authorities about the attacks.
The North Star campaign is aimed at espionage and the collection of information that can be used to the benefit of North Korea.
As the country is under heavy economic sanctions and without a self-sustaining military-industrial complex, it can only support its nuclear weapons program and ambitions by entering or stealing the information it needs - which, in this case, it hopes to obtain from the US defense and aerospace sectors.
Yet another way in which North Korea maintains its nuclear program is by allowing hackers to engage in cybercrime. At the same time, the security company Kaspersky published a report this week linking North Korean hackers to a new ransomware strain called VHD.
Prior to that, the group was linked to other types of cybercrime, such as BEC fraud, Magecart attacks, bank robberies, cryptocurrency fraud and fraud. botnets cryptocurrency mining. Finally, North Korea has "built" one of the most powerful and advanced hacker armies to date, as evidenced by the variety of its operations.