A possible North Korean government-connected cyber-espionage campaign that targeted the defense industry stretched further than originally known when it was inititally uncovered this summer, researchers said.
“Operation North Star” went beyond targeting South Korea to include Australia, India, Israel and Russia, McAfee said in a report out Friday. And its motives and methods seem to be clearer now, too, according to researchers.
Israel’s Ministry of Defense had previously blamed Lazarus Group, which the U.S. government calls Hidden Cobra, for sending phony job offers in its defense sector — a tactic that lined up with McAfee’s earlier description of Operation North Star tactics. Additionally, the campaign used a previously undiscovered implant called Torisma that it deployed to burrow further into victims’ systems, McAfee said.
The tactic represents the kind of digital spying technique that would have given hackers access to machines belonging to job applicants positioned near military organizations — just the kind of targets that a foreign government would value.
“The campaign’s technologies and tactics — the installation of data gathering and system monitoring implants — suggests that the adversary is in a position to remain persistent, conduct surveillance on and exfiltrate sensitive data from its defense sector victims,” the report reads.
And the attackers had priorities.
“The detailed job descriptions used to lure victims and the selective use of the Torisma implant suggest that the attackers were pursuing very specific intellectual property and other confidential information from very specific defense technology providers,” McAfee said. “Less valuable victims were sidelined to be monitored silently over an extended period of time until they become more valuable.”
McAfee didn’t directly attribute the campaign to Lazarus Group, but said the code used in the spearphishing attachments were virtually identical to a previous campaign from the hackers.
ClearSky more directly blamed Lazarus Group for the campaign, which it dubbed “Operation Dream Job.” The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Agency also warned in August of North Korea using malware variants that targeted government military and defense contractors.