Researchers Suspect North Korean Hackers Behind Cyberespionage Campaign
Sample of a fake LinkedIn message (Source: ESET)
A cyberespionage campaign that targeted aerospace and defense firms in Europe and the Middle East likely was the work of a hacking group with ties to North Korea, according to security firm ESET.
The campaign, dubbed, “Operation In(ter)ception,” started in September 2019 and lasted through December. It targeted victims using fake LinkedIn accounts that spread a new type of credential stealing malware called Inception.dll, according to ESET researchers. Two of the victimized companies allowed the security firm to conduct an analysis of the attack.
Although the primary motive of this campaign was cyberespionage, the ESET researchers note that the hackers also attempted to steal money from the victims through a business email compromise attack.
The ESET researchers say the campaign used tactics commonly employed by the Lazarus Group, which has ties to the North Korean government. Those tactics include the use of LinkedIn profiles and the anti-analysis techniques used to disguise the malware.
“While we did not find strong evidence connecting the attacks to a known threat actor, we discovered several hints suggesting a possible link to the Lazarus group, including similarities in targeting, development environment, and anti-analysis techniques used,” researchers Dominik Breitenbacher and Kaspars Osis write in a new report.
The Lazarus Group, also known as Hidden Cobra or Dark Seoul, has conducted a series sophisticated hacking campaigns, including the 2014 Sony Pictures hack as well as the WannaCry ransomware attacks of 2017.
In October 2019, malware tied to Lazarus allegedly targeted an Indian state-owned nuclear power plant to gain domain control-level access to the facility’s IT infrastructure (see: India’s Nuclear Power Corp. Admits Malware Infected a PC).
ESET says that in the campaign that started targeting aerospace and defense firms in September 2019, the hackers attempted to gain an initial foothold by creating fake LinkedIn accounts for human resource representatives of well-known companies in the aerospace and defense industries. This included using the names of several prominent U.S. firms.
“In our investigation, we’ve seen profiles impersonating Collins Aerospace (formerly Rockwell Collins) and General Dynamics, both major U.S. corporations in the field,” the report says.
Another sample of fake LinkedIn message (Source: ESET)
The attackers sent messages to the victims with fictitious job offers, as well as details such as salaries, through the LinkedIn messaging feature, according to ESET. If a victim responded to the fake offer, the hackers then sent a malicious document either through LinkedIn or a fake email address that contained a malicious Microsoft OneDrive link.
When a victim opened the malicious OneDrive link, a PDF purporting to contain job details was then opened in the victim’s browser. This PDF then downloaded malicious tools, including custom, multistage malware as well as modified versions of open source tools, according to the report.
Once the malware was successfully downloaded, the payload proceeded to brute-force system accounts, query the Microsoft Active Directory server to obtain system accounts and information, and scan the victim’s IP subnet to identify other devices on the network, according to ESET.
During the infection and data exfiltration process, the attackers also took great care to stay under radar, the report notes. This was achieved by leveraging “living-off-the-land” tactics as well as abusing legitimate tools and operations system functions to perform various malicious operations.
In one instance, the researchers found that attackers attempted to disguise the malicious files by giving them legitimate names of companies and products such as Intel, Nvidia, Skype, OneDrive and Mozilla, the report notes.
While it’s not clear if what, if any, data was taken during these attacks, Jean-Ian Boutin, head of threat research at ESET, believes the hackers were targeting specific employees.
“We don’t know what exactly they were after and what, if anything, got exfiltrated, Boutin tells Information Security Media Group. “Based on the job titles of the employees initially targeted via LinkedIn, it appears that Operation In(ter)ception targeted technical and business-related information.”
In addition to the main cyberespionage campaign, the ESET researchers found that the hackers attempted a BEC-style extortion scheme once the malware was planted in the network. In one case, the attacks rifled through old files and invoices of a company to find financial data.
The hackers then tried the trick the victims to pay a pending company invoice. “Here, the attackers were unsuccessful – rather than paying the invoice, the customer responded with inquiries about the requested sum,” the report states. “As the attackers urged the customer to pay, the customer ended up contacting the victim’s correct email address about the issue, raising an alarm on the victim’s side.”
Concerns Over Lazarus
While the ESET research could not fully attribute this campaign to Lazarus, others have warned that the hacking group has been regularly updating its arsenal to infect new victims.
In May, for instance, the U.S. Cybersecurity and Infrastructure Security Agency identified three new malware variants that are being used by the group (see: Group Behind WannaCry Now Using New Malware).
Due to the growing complexity of these types of attacks, the U.S. government announced in April a $5 million reward for information about suspected North Korean-sponsored attacks (see: US Sanctions 3 North Korean Hacking Groups).