Hackers linked to a North Korean cyber-espionage group — best known for the global ransomware attack dubbed WannaCry — are now actively targeting U.S. defense contractors as part of an apparent, ongoing intelligence gathering operation, according to new research published by U.S. cybersecurity firm Palo Alto Networks.
The findings come at time of heightened tension between the U.S. and North Korea while the leaders of each nation have exchanged threats of nuclear warfare.
North Korea is a known and well-established adversary of the U.S. in cyberspace. The group responsible for both WannaCry and this newly uncovered intelligence operation is codenamed Lazarus Group by the security research community.
Analysts with Palo Alto Networks’ Unit 42 found that Lazarus Group recently sent a barrage of spearphishing emails with booby-trapped Microsoft Word attachments to several individuals involved with different U.S. defense contractors. The hackers did very little to obfuscate their identity; they relied on tools, techniques, and procedures from past, which have already been attributed to North Korean hacking operations.
In this case, the attackers were hoping to force a malware download that would give them wide access to files and other information stored on a victim’s computer.
Interestingly, the payload intended for the U.S. defense contractors is almost identical to what Lazarus Group used around April to compromise South Korean organizations, based on previous research.
“We’ve identified weaponized Microsoft Office Document files which use the same malicious macros as attacks from earlier this year. Based on the contents of these latest decoy documents which are displayed to a victim after opening the weaponized document the attackers have switched targets from Korean language speakers to English language speakers,” wrote senior threat researcherMost notably, decoy document themes now include job role descriptions and internal policies from U.S. defense contractors.”
In order to send these targeted phishing emails, Lazarus Group relied on already compromised machines to host the weaponized documents. By using a proxy in this manner, attackers can sometimes confuse investigators that are looking for links between an infected computer and the machine its communicating with to download malicious programs.
In recent years, North Korean hackers are believed to have successfully broken into Sony Pictures, the Bangladesh Bank and a foreign policy advisory group to Hillary Clinton’s presidential campaign.
This is not the first time a foreign nation has employed hackers to spy on U.S. defense contractors.
In September 2014, a comprehensive report authored by the Senate Armed Services Committee blamed China for a series of data breaches affecting U.S. Transportation Command contractors. The culprits were able to gain wide access to computers used by these contractors, allowing them to potentially acquire sensitive documents, flight details, credentials and passwords for encrypted emails.
Senators described the findings as “evidence of China’s aggressive actions in cyberspace.”