Hackers used unknowns, until recently, tools in order to spy on defense and aerospace agencies. The attacks started with phishing emails and social engineering and were very targeted. Her researchers McAfee spoke for the first time about this campaign, known as Operation North Star, a few months ago.
However, investigations continued and more details came to light. Researchers have discovered additional tactics and techniques hackers, which are quite similar to those of the Lazarus Group. The USA have said that this group serves the interests of the North Korean government.
According to initial data, the espionage campaign is based on spear-phishing emails and LinkedIn messages appearing as recruitment messages in order to seduce victims and make them open malicious attachments. Hackers even used legitimate recruitment ads and documents obtained from popular sites their defense organizations USA, to make the messages look more authentic.
But now additional McAfee analysis revealed that the attackers are infecting them victims in two stages. In the first stage, targets are infected with malware which allows intruders to collect data such as disk information, free disk space, computer name, username, etc.
The attackers then analyze this information to determine if it is worth continuing the attack (if the goal is "high profile"). If the victim is not considered significant enough, hackers stop and focus on distributing malware to larger organizations (second stage).
In the second stage of the attack, the Tourism, a custom tool focused on monitoring the systems of high value victims. In this way, they try to obtain access in credentials, while avoiding detection.
According to McAfee investigators, the hackers were trying to make one long-term espionage campaign, focused on specific individuals who hold important positions.
During the operation "Operation North Star", The hackers they researched their targets and created special content to attract victims and then infect them with malware, which would allow espionage.
The original report, which was released a few months ago, talked about attacks in the US, but in reality the hackers had targeted technology Companies and defense and aerospace organizations in Israel, Russia, India and Australia.
"The hackers behind the campaign are more "sophisticated" than they first seemed. They are focused on what they want to achieve and more disciplined and patient to achieve their goal.", The researchers said.
Cyber espionage is not the only form of cyber-attack involving North Korea. Hackers working for the government of the country are involved in cryptocurrencies mining campaigns, while they have also been accused of the catastrophic WannaCry ransomware.