Anti-Phishing, DMARC , Cybercrime as-a-service , Cyberwarfare / Nation-State Attacks

North Korean Hackers Targeted US Aerospace, Defense Firms

McAfee: 'Operation North Star' Used Fake Job Offers to Plant Malware
North Korean Hackers Targeted US Aerospace, Defense Firms
Illustration shows how phishing emails helped spread malware as part of "Operation North Star." (Source: McAfee)

Hackers with suspected ties to North Korea targeted U.S. aerospace and defense firms earlier this year with fake job offer emails sent to employees, according to an analysis released by security firm McAfee.

See Also: Strengthening Microsoft 365 with Human-centric Security

This phishing campaign, which McAfee calls "Operation North Star," attempted to use these messages to plant malware in employees' devices, which could help attackers gain a foothold into the larger network and steal data, according to the report.

While the McAfee researchers were not able to recover the majority of the phishing emails used during this campaign, the report notes that Operation North Star appears to have ties to the well-known North Korean hacking group called Hidden Cobra, which other researchers refer to as Lazarus (see: US Offers $5 Million Reward for N. Korea Hacker Information).

McAfee noticed similarities between phishing emails that targeted similar companies in 2017, as well as India's defense industry in 2019, and those used against U.S. defense and aerospace firms this year. In addition, the researchers noted that some of the domains used in Operation North Star had previously been used by Hidden Cobra in other campaigns.

"From our analysis, this appears a continuation of the 2019 campaign, given numerous similarities observed," according to the McAfee report. "These similarities are present in both the Visual Basic code used to execute the implant and some of the core functionality that exists between the 2019 and 2020 implants."

Operation North Star started about March 31 and appears to have stopped by May 18, according to McAfee. Because not all the phishing emails used were found, McAfee was unable to determine which firms and employees were targeted by the hackers.

The McAfee researchers determined that the hackers were seeking to infect the devices of employees who had specific job titles. "The victimology of these campaigns is not clear at this time. However, based on the job descriptions, they appear to be targeting people with skills and experience relating to the content in the lure documents," the report notes.

Attack Overview

The Operation North Star campaign is built around spear-phishing emails that target specific employees and appear to contain information about potential job offers, according to the report.

An overview of the Operation North Star campaign (Source: McAfee)

The emails contain a malicious attached document that, if opened, starts the initial attack. The attached file will first attempt to download a Microsoft Word template that contains macros that will then install the malware on the device. The use of the template is a way to avoid security tools and software, according to the McAfee report.

The emails themselves appear to come from job recruiters and advertise for positions such as:

  • F-22 Fighter Jet Program;
  • Defense, space and security;
  • Photovoltaics for space solar cells;
  • Aeronautics integrated fighter group;
  • Military aircraft modernization programs.

The messages are designed to lure victims to open the initial attached file, according to the report. When the malicious templates are opened, Visual Basic macro code will then load a Dynamic Link Library, or DLL, implant onto the victim's device, which then downloads the malware. Once installed, the malware will attempt to contact a command-and-control server, which appears to be based in Europe, according to McAfee.

The analysis did not name the malware involved, but it notes that it's designed to maintain persistence within the device and act in a way to move deeper into the targeted network and gather data.

Because McAfee couldn't capture all the phishing emails used in this campaign, and since the command-and-control server has now been disconnected, the researchers were able to determine what the hackers' ultimate goal was or what type of data they might have been seeking.

Recent North Korea Activity

Over the past month, researchers released numerous reports about the hacking group's activities. On Tuesday, security firm Kaspersky released a report that noted these North Korean-linked threat actors have expanded into more ransomware operations, including one detected in Europe (see: Lazarus Group Reportedly Now Wielding Ransomware).

Other reports have linked this hacking group to a new type of malware framework that has been deployed across several countries, as well as tied some of their activities to Magecart-like attacks that are designed to skim payment card information from online checkout sites.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.