North Korea: The Israeli officials announced on Wednesday that a cyber-attack from North Korea that targeted classified systems was thwarted. While the attack was detected and stopped, security researchers involved in stopping the attack stated that it is likely that classified data was stolen. The fear among many Israeli officials is that the stolen data would be shared with Iran. This attack followed a very familiar pattern for North Korean hackers beginning with a fake LinkedIn profile being used to reach out to prospective targets. The messages purported to be from a headhunter for Boeing. While the name on the account is an actual recruiter for Boeing, they are not the person who actually sent the messages to a senior engineer at the targeted Israeli defense company. After establishing communications with the targets, the North Korean actors set up communications through WhatsApp or live phone calls. According to the victims of the attack who were interviewed, the person at the other end of the call spoke English without an accent and sounded credible. As with other similar attacks the North Korean actors then asked to send the targets a list of job requirements. That document contained malware which allowed the attackers to gain access to their systems. After compromising the employee’s workstation, the attackers then attempted to move laterally to classified Israeli networks.
Analyst Notes
North Korea has utilized similar techniques in attacks on other organizations from varying industries in the past. This campaign showed a notable step up in the fact that the interviewers on the calls spoke English well and with no accent. It is believed that North Korea outsourced this work to native English speakers who they recruited. North Korea is believed to sell its hacking services as another form of income to support its economy which has been severely crippled by trade embargos and increasing sanctions over the past few years. North Korea and Iran have had close ties for some time now, especially in a defense capacity, so it is not surprising to find North Korean threat actors involved in a campaign that could be of significant value to Iran. Continuous monitoring of network data, logs, and Endpoint Detection and Response (EDR) is an important step in defending against a campaign like this. While it is difficult for companies to ensure that employees are not falling for social engineering attacks, especially when the initial conversations take place through other communications mediums, companies can defend against malware attacks finding their way onto their networks through employee workstations if there is a security operations center monitoring all the events that occur on workstations. Identifying an attack such as this while the malware is on a single endpoint can allow time to contain the intrusion prior to its spread further into the network. More information on this issue can be found at https://www.nytimes.com/2020/08/12/world/middleeast/north-korea-hackers-israel.html
