State actors from within North Korea have launched a campaign against potential recruits for the aerospace and defense industry, with the goal of compromising their systems or getting their information to exploit later once they have been hired by the government. This attack has not been attributed to a singular North Korean Advanced Persistent Threat group (such as Lazarus), but rather to “Hidden Cobra” which broadly refers to any attack by a North Korean actor that uses a known set of infrastructure and practices.
This attack was highly targeted and relied on spoofs of known defense contractor websites to lure in victims, and further these attack sites repurposes existing, legitimate, websites which were hosted in the United States and Italy to evade detection. These shows a level of complexity, technical acumen, and dedication to keeping a low-profile which sets this attack apart from its peers. These spoofed websites would validate that the individual accessing them was a legitimate target before taking any action against the user, further hiding their signature by attacking rarely. Normally a series of attacks by a website shreds its cover as more and more systems report the attempted hack which draws the attention of cybersecurity researchers.
If a target is validate, then the website would attempt to install Torsima malware via infected documents, which would allow the attacker prolonged visibility and access to the infected system.