Share this article on:
German and South Korean authorities warn of North Korean hackers targeting the defence industry.
Germany’s domestic intelligence agency and South Korea’s chief intelligence agency have released a joint advisory warning of North Korean hacking activity increasingly targeting global operators in the defence sector.
According to the German Bundesamt für Verfassungsschutz and South Korean National Intelligence Service, the cyber espionage is likely being carried out by the Lazarus hacking group – a group thought by many to have links to or is being run by the North Korean government.
The two agencies have also observed a second, as yet unnamed group operating in tandem with Lazarus.
The aim of the observed campaign appears to be to steal military technologies in order to boost North Korea’s own capabilities.
“The Democratic People’s Republic of Korea (DPRK) puts high emphasis on military strength and focuses on the theft of advanced defence technologies from targets around the world,” the two agencies said in a joint cyber security advisory.
“The BfV and NIS assess that the regime is using the military technologies to modernise and improve the performance of conventional weapons and to develop new strategic weapon systems, including ballistic missiles, reconnaissance satellites, and submarines. DPRK increasingly uses cyber espionage as a cost-effective means to obtain military technologies.”
As part of the advisory, the two agencies outlined two specific hacking campaigns.
The Lazarus group observed social engineering tricks to gain the trust of defence industry employees who might be looking to change jobs. The North Korean hackers created an account on an online job portal before searching for prospective victims with access to “valuable assets like internal systems”.
Once a potential victim is found, the threat actor begins by making contact via the job portal and then spending considerable time establishing trust before finally making a job offer. This involves moving the conversation to another chat service and providing the victim with a PDF with more information on the “new” job – which is, of course, riddled with malware.
“Universally, the circumstance that employees usually do not talk to their colleagues or employer about job offers plays into the hands of the attacker,” the two agencies said.
The BfV and NIS observed a second threat actor engaging in a more traditional hacking campaign. This actor targeted the company maintaining the servers of a maritime research centre, aiming to get and maintain access via its supply chain.
“The cyber actor further infiltrated the research facility by deploying remote-control malware through a patch management system (PMS) of the research centre, and stole various account information of business portals and email contents,” the BfV and NIS said.
The threat actor’s activity was eventually discovered, and the research institute’s security was improved in the wake of the hack. However, the threat actor continued in their attempts to access the network, even going so far as to deploy spear phishing techniques.
The BfV and NIS recommend that all entities in the defence sector train their staff about the latest cyber espionage techniques.
“Brief your employees on a regular basis about the latest tendencies in cyber attacks,” the agencies said.
“This may deepen their understanding of cyber actors’ modus operandi, which constantly evolves, and ensure employees’ proper management when an actual intrusion happens.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.