Anti-Phishing, DMARC , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime
Fake Job Lures Target Employees of Aerospace, Energy Firms
BAE Systems Among Companies in the Sights of North Korean Cyberespionage GroupA North Korean cyberespionage group is posing as job recruiters and targeting aerospace and energy sector employees with lucrative job offers, according to Mandiant. The hackers use email and WhatsApp messages to lure victims into clicking a link that deploys backdoor malware onto their devices.
See Also: 2024 APJ State of the Phish: Is Your Organisation Covered
In a Wednesday blog post, Mandiant said that it investigated several attempts by a North Korean cyberespionage group in June to target people working in aerospace and energy companies, including those at BAE Systems, a British multinational aerospace and defense manufacturer that also provides information security services.
Mandiant said the group initially contacted victims by email and then moved the conversation to WhatsApp, where they sent detailed job descriptions tailored to each person's specific role. The job descriptions were in PDF format, stored inside a malicious archive, and could only be opened with a Trojanized version of SumatraPDF included in the archive.
The group, which Mandiant tracks as UNC2970, has routinely targeted organizations and their employees across sectors to obtain information of interest to the Kim Jong Un-led regime. Mandiant said the group's tools and attack techniques are similar to another North Korean threat group, tracked as TEMP.Hermit, which has been engaged in strategic intelligence collection since at least 2013.
North Korean actors have previously used LinkedIn for job-related phishing lures. In March 2023, Mandiant said the UNC2970 group masqueraded as recruiters for The New York Times and other U.S. and European media organizations and tried to get victims to open a phishing payload disguised as a job description or skills assessment (see: North Korean Hackers Find Value in LinkedIn).
In the June campaign, the espionage group used older versions of SumatraPDF, a free and open-source document viewer, to deliver backdoor malware called MISTPEN, which is a modified version of a Notepad++ plug-in. The hackers did not exploit any vulnerabilities in SumatraPDF but added a thread to its DllMain function to execute malicious code.
The group also modified a legitimate DLL file used by the SumatraPDF binary to create a launcher called BURNBOOK. "This file is a dropper for an embedded DLL, "wtsapi32.dll," which is tracked as TEARPAGE and used to execute the MISTPEN backdoor after the system reboots," Mandiant said. Newer versions of SumatraPDF now prevent users from loading modified versions of the legitimate DLL, forcing the threat group to use older versions of the document reader.
North Korean espionage attacks on Western organizations and rival nations in East Asia have escalated in recent years, particularly after Kim Jong Un announced plans to modernize the hermit kingdom's military and industrial assets.
In June, South Korea's National Intelligence Service and the National Police Agency, the U.K.'s National Cyber Security Center, the U.S. Cybersecurity and Infrastructure Security Agency and the FBI warned in a joint advisory that the North Korean espionage group Andariel was targeting the defense, aerospace and energy sectors to steal Western nuclear and military technologies to advance the regime's military and nuclear ambitions (see: Agencies Warn of North Korean Hacks on Nuclear Installations).
The group, also known as Onyx Sleet, DarkSeoul, Silent Chollima and Stonefly, primarily targets Western and allied defense, aerospace, nuclear and engineering organizations. It funds its operations through ransomware attacks on U.S. healthcare institutions, the agencies said.
Though Mandiant did not link any UNC2970 operation with Andariel, researchers said North Korean hacker groups routinely share cyberattack tools and tactics depending on their objectives. "[UNC2970] has significant malware overlaps with other North Korean operators and is believed to share resources, such as code and complete malware tools, with other distinct actors," the company said. "While observed UNC577 activity primarily targets entities in South Korea, it has also targeted other organizations worldwide."