North Korean hackers are allegedly now targeting U.S. military and defense contractors, according to a new report.
Palo Alto Networks, a security platform that helps prevent cyberattacks, has detected new activity targeting individuals involved with United States defense contractors, it reported.
These hackers are reportedly from the Lazarus Group, thought to be a North Korean group, and are using the same infrastructure and tools from attacks earlier this year. Lazarus is known for hacking Sony Pictures in response to “The Interview,” a movie starring James Franco and Seth Rogen that depicted the assassination of North Korean leader Kim Jong Un.
“It makes perfect sense that North Korea is targeting those defense contractors who provide the means of protecting our troops and our allies in the region,” Michael Krull told American Military News. Krull is CEO of CRA, Inc., adjunct professor of politics at Georgetown University and former campaign manager for Newt Gingrich’s Presidential campaign in 2012.
“For nearly a decade now, North Korea has been using a hacking force that has employed a wide variety of hacking attacks aimed at causing network disruption, as well as outright theft of technology. Their sophistication and audacity has been steadily growing,” Krull said.
And now, North Korea is likely targeting U.S. defense and military contractors.
“Recently, we’ve identified weaponized Microsoft Office Document files which use the same malicious macros [malware] as attacks from earlier this year,” Palo Alto’s report stated. “Based on the contents of these latest decoy documents, which are displayed to a victim after opening the weaponized document, the attackers have switched targets from Korean language speakers to English language speakers. Most notably, decoy document themes now include job role descriptions and internal policies from U.S. defense contractors.”
One job ad was for a management position for the Terminal High Altitude Area Defense (THAAD) missile system – the one the U.S. would use in South Korea to shoot down any attacks from North Korea.
“The weaponized documents have been hosted on systems which we believe have likely been compromised and repurposed,” Palo Alto said. “Two of the URL paths used to host the weaponized documents on the compromised systems are exact matches (event/careers/jobs/description/docs). The payloads delivered by the weaponized documents are extremely similar to the payloads delivered by weaponized documents detailed in our April 2017 report on the threat group’s activity.”
Palo Alto Networks also said: “The techniques and tactics the group uses have changed little in recent attacks. Tool and infrastructure overlaps with previous campaigns are apparent. Given that the threat actors have continued operations despite their discovery and public exposure it is likely they will continue to operate and launch targeted campaigns.”
“Palo Alto Networks researchers will continue to monitor this group’s activities and stay abreast to additional attacks using this tool set,” it added.
“In the U.S., 85 percent of critical infrastructure is owned by corporations, not government, so it is vital that these private sector entities work hand-in-hand with our military and intelligence professionals to secure their networks against attack,” Krull said. “Our defense contractors’ networks are attacked several times each day. They have an extra burden of protecting our nation, our troops and the allies that depend on us. They must secure both their networks and their technology from hacks.”