Threat Watch

Lazarus Group Repurposes Cyber-Espionage Compromise for Financial Theft

Lazarus Group: Details have been made public of an attack campaign carried out by the Lazarus Group, attributed to the government of North Korea. The attack targeted European aerospace and military contract companies for espionage purposes and was later repurposed for financial theft. The operation, dubbed Operation In(ter)caption, targeted employees through LinkedIn job recruitment profiles and private messages. Lazarus Group members conducted fake job interviews with employees at target organizations and used malicious documents to compromise their targets. The documents supposedly contained salary and job information about the jobs they were applying for; in reality the documents contained tools used by Lazarus Group to gain a foothold on victim’s systems. The operation, which took place between September and December of 2019, targeted victim’s Active Directory (AD) servers to obtain lists of employees and system administrators, and later carried out brute-force attacks on administrator accounts. Following the completion of the campaign, the group chose to carry out scam attempts on the victim organizations’ business partners. Lazarus Group looked through their victims’ email inboxes for unpaid invoices and then followed up on those emails. In the follow up communications the group urged the recipients to pay, but to accounts controlled by Lazarus Group. Luckily the group’s attempt to carry out their thefts through business email compromise (BEC) were unsuccessful, as many of the targets noticed that something was “off” about the follow-up emails.

ANALYST NOTES

Analyst Note: This is not the first time that Lazarus Group has utilized fake job postings and interviews in an attempt to target the employees of targeted organizations. Lazarus Group utilized a similar method to target financial institutions in Central and South America. While it is not surprising that Lazarus Group would be caught attempting to carry out an operation for financial gain, this is the first time they have been seen using BEC to attempt to redirect payments through email messages. Lazarus Group has traditionally looked to gain a foothold in target networks through initially compromising employees. Endpoint Detection and Response (EDR) can provide the early detection needed to identify intrusions like these before they are able to spread through the network and establish footholds in more vital parts of the network.

More information on this incident can be found at https://www.zdnet.com/article/north-koreas-state-hackers-caught-engaging-in-bec-scams/