Phishing Attacks Targets U.S. Aerospace & Defense Contractors
North Korean threat actors targeted U.S. defense and aerospace contractors with a massive email phishing campaign. The messages sent false job postings from several well-known defense contractors. The targets were phished in an attempt to compromise devices with malware and to steal military and defense tech intelligence.
The North Korean threat actors, posing as job recruiters, sent phishing emails and social media messages with false job offers. They used legitimate job openings from three well-known defense contractors, says a report from cyber security researchers at McAfee Advanced Threat Research (ATR).
The attacks persisted from 31 March and 18 May 2020 and were sent to an undetermined number of targets.
The targets were sent malicious documents as lures and with a goal of installing data gathering DLL implants on the victims’ machines. Several types of implants were used in the attacks.
What is Hidden Cobra?
Hidden Cobra is a term for state-sponsored advanced persistent threat groups that work for the Democratic People’s Republic of Korea (DPRK, also known as North Korea). Hidden Cobra consists of threat actors like Advanced Persistent Threat Group 37, APT 37, Lazarus Group, APT 38, KONNI, DarkHotel, Kimsuky, and Andariel.
North Korean Cyber Attacks
Just this month, Lazarus Group was implicated in a series of MageCart attacks on major retailers in Europe and the United States. The malware attacks steal money to fund other activities.
In February, the US Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued an alert after threat actors compromised a gas compression facility using a spear phishing attack. The North Korean attackers successfully compromised the company’s IT network.
CISA issued alert in March, along with the U.S. Departments of State, the US Treasury, and the Federal Bureau of Investigation (FBI). The US government is offering a $5 million USD reward for information on North Korean threat activity – past or present.
In May of this year, CISA, the FBI, and the Department of Defense (DoD) jointly issued an update on North Korean malware activity – specifically TAINTEDSCRIBE and PEBBLEDASH trojans and COPPERHEDGE Rat malware.
How do I defend against phishing emails?
The objective of this campaign was to gather intelligence about specific US defense programs and technology. The threat actors sent legitimate job postings from three defense and aerospace organizations to lure an unknown number of targets into downloading malicious documents. If the victim downloaded the weaponized document, then malware compromised their computer.
According to McAfee, their technology currently protects against this phishing threat.
