North Korea: Researchers at McAfee published details in a new report outlining North Korea’s latest campaign that has been named Operation North Star. The attacks were carried out between late March and May 2020. The threat actor targeted individuals within the US defense and aerospace sectors with fake job offers in order to infect the workstations of employees who were actively looking for a new job. The attacks have been attributed to Hidden Cobra, which is an umbrella term used for the North Korean government’s hacking groups. Typically, attacks utilizing fake job offers occur through email, but in this case, the group used variations of this attack including using social media to spread the malware. These attacks were focused on intelligence gathering as the attackers attempted to infect devices to gain access to network resources and steal any information that was available to the victim.
Analyst Notes
The utilization of fake job offers is not a new lure in the threat landscape, though North Korea changed its approach by sending malware in malicious documents through social media in addition to email. This technique might be more effective at evading corporate defenses that scan incoming email for threats, but which lack the ability to inspect messages sent via social media. McAfee researchers did not have access to the actual messages that were being distributed but the group was utilizing the following job titles to “recruit” employees:
– F-22 Fighter Jet Program
– Defense, Space, and Security (DSS)
– Photovoltaics for space solar cells
– Aeronautics Integrated Fighter Group
– Military aircraft modernization programs
North Korea has built a dominant hacking regime despite being a small country with limited financial resources. The country focuses on intelligence stealing and financial gain, previously being linked to attacks against financial institutions, ransomware and Magecart attacks. Employees in the defense and aerospace sector have always been highly targeted. This new campaign comes at a time when government employees in the United States are less likely to be seeking jobs in the private sector as they have in the past due to COVID-19. This makes the campaign not as effective as it could have been under normal circumstances. Employees should always be aware of job scams as they are used by many threat actors. Never open documents sent through social media or email unless the sender can be verified. If a job offer comes through one of these means and cannot be confirmed, it is best to reach out to the company directly.
More information can be read here: https://www.zdnet.com/article/us-defense-and-aerospace-sectors-targeted-in-new-wave-of-north-korean-attacks/
