Hackers believed to be working on behalf of North Korea have in recent years posed as recruiters and targeted workers in a variety of industries with offers of extravagant jobs at big-name firms with massive salaries. In the past, that campaign has mostly been carried out over email, but now researchers are seeing North Korean hackers shift their phishing attempts to LinkedIn and WhatsApp.
By first constructing convincing profiles on the career-focused social media platform LinkedIn, reaching out to their victims with phony job offers and convincing them to move the conversation over to WhatsApp, where they would be targeted with malware, North Korean hackers have crafted a sophisticated method for targeting computer security researchers, according to a two-part report released by Google’s Mandiant on Thursday.
Michael Barnhart, a principal analyst at Mandiant, describes this North Korean threat actor as “one of the more skilled groups coming out of this closed off nation,” and in targeting security researchers, the group deployed a range of new tools.
The group’s activity — tracked as UNC2970 or TEMP.Hermit by Mandiant and included under the broader Lazarus umbrella by others — includes “an array of specially crafted LinkedIn accounts based on legitimate users” that are “well designed and professionally curated to mimic the identities of the legitimate users in order to build rapport and increase the likelihood of conversation and interaction,” Mandiant’s researchers said.
If the attackers were successful in shifting the conversation from LinkedIn to WhatsApp, they would continue interacting with the target before sending a phishing payload disguised as a job description, the researchers said, primarily in the form of customized Microsoft Word documents embedded with macros that would pull malware a remote server. In at least one case, researchers said, the hackers “continued interacting with a victim even after the phishing payload was executed and detected, asking for screenshots of the detection.”
“The activity outlined here lends itself to a more espionage-oriented goal, whereas other elements within this group are strictly after crypto and revenue generation,” Barnhart said in an email to CyberScoop. “This speaks to the size and priorities of this actor, which publicly aligns with the DPRK’s Reconnaissance General Bureau.”
Although there is widespread overlap of tooling and tactics across North Korean-aligned hacking groups, Mandiant considers TEMP.Hermit to be a distinct subset of activity under the control of the country’s Reconnaissance General Bureau and focused on intelligence collection.
Mandiant’s report notes that although previous campaigns focused largely on the defense, media and technology industries, this more recent effort targeted security researchers, possibly suggesting “a shift in strategy or an expansion of its operations.”
Earlier reporting by cybersecurity firms — such as a campaign dubbed “Dream Job” by ClearSky in 2022 — have documented how North Korean hacking groups have typically approached targets via email, allowing for a more direct delivery of customized phishing malware. But the evolution documented by Mandiant over the second half of 2022 suggests that email-based attacks are getting harder to pull off, a shift Barnhart suggest might be caused by the growing adoption of cloud infrastructure and endpoint detection and response software.