Lazarus Group: Details have been made public of an attack campaign carried out by the Lazarus Group, attributed to the government of North Korea. The attack targeted European aerospace and military contract companies for espionage purposes and was later repurposed for financial theft. The operation, dubbed Operation In(ter)caption, targeted employees through LinkedIn job recruitment profiles and private messages. Lazarus Group members conducted fake job interviews with employees at target organizations and used malicious documents to compromise their targets. The documents supposedly contained salary and job information about the jobs they were applying for; in reality the documents contained tools used by Lazarus Group to gain a foothold on victim’s systems. The operation, which took place between September and December of 2019, targeted victim’s Active Directory (AD) servers to obtain lists of employees and system administrators, and later carried out brute-force attacks on administrator accounts. Following the completion of the campaign, the group chose to carry out scam attempts on the victim organizations’ business partners. Lazarus Group looked through their victims’ email inboxes for unpaid invoices and then followed up on those emails. In the follow up communications the group urged the recipients to pay, but to accounts controlled by Lazarus Group. Luckily the group’s attempt to carry out their thefts through business email compromise (BEC) were unsuccessful, as many of the targets noticed that something was “off” about the follow-up emails.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in