ESET Research: Lazarus attacks aerospace and defence contractors worldwide while misusing LinkedIn and WhatsApp
- During the recent ESET World conference, ESET researchers presented an investigation into the infamous Lazarus APT Group and their attack on defence contractors around the world between late 2021 and March 2022.
- Targets were, according to ESET Telemetry, in Europe (France, Italy, Spain, Germany, Czech Republic, the Netherlands, Poland, and Ukraine), the Middle East (Turkey, Qatar), and Latin America (Brazil).
- For fake recruiting campaigns, they used services such as LinkedIn and WhatsApp.
Lazarus APT is a notorious cybercrime organisation with an unknown number of members. From late 2021 through to March 2022, research revealed during the annual ESET World conference, showed that Lazarus has been targeting aerospace and defence contractors across the globe with the intent of cyber-espionage and exfiltration of funds, though somewhat unsuccessfully.
The attacks, and according to the ESET telemetry, show that Lazarus has been targeting companies in Europe (France, Italy, Spain, Germany, the Netherlands, Poland, and Ukraine) and Latin America (Brazil).
As early as 2020, ESET researchers had already documented a campaign pursued by a sub-group of Lazarus against European aerospace and defence contractors ESET called operation In(ter)ception. This campaign was noteworthy as it used social media, especially LinkedIn, to build trust between the attacker and an unsuspecting employee before sending them malicious components masquerading as job descriptions or applications. At that time, companies in Brazil, Czech Republic, Qatar, Turkey and Ukraine had already been targeted.
Director of ESET Threat Research, Jean-Ian Boutin, explains that the threat group showed ingenuity by deploying an interesting toolset, including, for example, a user-mode component able to exploit a vulnerable Dell driver to write to kernel memory. “This advanced trick was used in an attempt to bypass security solutions monitoring,” says Jean-Ian Boutin.
The promise of jobs was the key to the door
ESET researchers believed that the action was mostly geared toward attacking European companies, but through tracking the number of Lazarus sub-groups performing similar campaigns against defence contractors, they soon realised that the campaign extended much wider. While the types of malware used in the various campaigns were different, the initial modus operandi (M.O.) always remained the same: a fake recruiter contacted an employee through LinkedIn and eventually sent malicious components.
In this regard, they’ve continued with the same M.O. as in the past. However, ESET researchers have also documented the reuse of legitimate hiring campaign elements to add legitimacy to their fake recruiters’ campaigns. Additionally, the attackers have used services such as WhatsApp or Slack in their malicious campaigns.
In 2021, the U.S. Department of Justice charged three IT programmers for cyberattacks as they were working for the North Korean military. According to the U.S. government, they belonged to the North Korean military hacker unit known in the infosec community as Lazarus Group.
Throughout the presentations at ESET World it has become clear that businesses and civilians are no longer the most common victims of malicious attacks, the public sector and their associated contractors are at an even greater risk, with the results potentially far more severe.