Hackers from North Korea are directing their attacks to target U.S. defense and aerospace industries. “Operation North Star” is the name given to the malicious attacks which targeted employees and other sensitive parties affiliated to the sectors.
The operation used documents, advertising job descriptions, and vacancies. Vulnerable job seekers who unknowingly opened the materials allowed malicious code to run on their devices. The code would then collect critical and valuable data from them.
McAfee Advanced Threat Research team reported that the contents of these documents baited the people who were targeted by these spear-phishing campaigns.
Malware in job vacancies
The researchers said this method of using job vacancies and offers to deliver malicious code is not new, though the lure documents and implants were quite distinct, making the whole campaign unique.
The North Korean hackers are suspected to be a part of the infamous Hidden Cobra group. One of the tell-tale signs is that they used mireene.com, a domain linked to them in the past alongside the Lazarus Group, another infamous collective.
In 2018, Lazarus targeted banks and bitcoin, and in 2019, it went after Linux.
CISO and head of security strategy at cybersecurity from Netenrich Inc., Brandon Hoffman said, “While reviewing the tactics, techniques, and procedures, there is no doubt that it is a sophisticated and highly targeted campaign.”
The use of documents, dynamic link libraries, and phishing techniques drove forward the campaign. The attackers mostly employed command-and-control methods to accomplish their mission.
MediaPro Holdings LLC’s chief learning officer Tom Pendergast echoed Brandon by acknowledging the employee as an entry point of phishing attacks meant to cause damage to a company. “Users at defence and aerospace companies must be especially sceptical of any contact,” he warned.
With these precautions, users should inspect files before opening them.