Since the beginning of 2020, the hacking team "Lazarus" North Korea-backed targets the defense industry with a custom backdoor malware called ThreatNeedle, with the ultimate goal of stealing sensitive and confidential information. It is about a hacking group that was particularly active in 2020, orchestrating numerous attacks around the world, making it one of the most dangerous cybercrime gangs in the threat landscape today. North Korean hackers have targeted many organizations, and the defense industry and companies in more than a dozen countries have now been added to their list of victims.
The attackers have used Phishing emails about him COVID-19 with malicious attachments or links, as the primary access to corporate networks. After they achieved the initial one infringement, installed the custom malware "ThreatNeedle", which was used for the first time in 2018 in attacks targeting cryptocurrency companies.
Kaspersky security researchers have reported that ThreatNeedle, once installed, can gain full control of a victim's device, meaning it can do everything from handling files to executing commands received.
ThreatNeedle helped North Korean hackers gain access to the networks of defense agencies and steal sensitive and confidential information, which they then transferred to servers controlled by themselves. In addition, the backdoor allowed hackers to bypass network segmentation and access restricted networks with critical sending devices that did not have access to Internet.
According to Kaspersky, the attackers, after "gaining an initial step", stole credentials and moved sideways, searching for critical assets in the victims' environment.
Throughout their attacks, North Korean hackers also stole documents and data from Appliances used to store business and customer information, and from limited networks commonly used to store and manage extremely sensitive data.
Lazarus members took control of administrators' workstations, which allowed them to later create malicious portals that gave them access to restricted networks.
While Lazarus has been known for targeting mainly global financial institutions, since the start of this campaign in early 2020, it has changed its focus and is now focusing on the defense industry.
It is noteworthy that Google Threat Analysis Team reported that Lazarus hackers have used the same malware to target security researchers. In addition, this hacking group is monitored under the name "HIDDEN COBRA" by the US Intelligence Community.
It is a financially motivated cybercrime group, as evidenced by its campaigns targeting Sony Films (as part of Operation Blockbuster in 2014), and was behind its global campaign. WannaCry ransomware of 2017.
Kaspersky recommends that defense industry organizations take the following steps to mitigate the risk of this threat:
- Cyber-hygiene staff training and awareness of internal security policies
- Complete segmentation of OT networks from IT networks
- Informing security teams about threats
- Exclusive OT network security application, including traffic monitoring, analysis and threat detection