North Korean Hackers Attack The Defense Industry

In mid-2020, Kaspersky Lab experts discovered a new malicious campaign from the Lazarus APT group. The attackers expanded their portfolio with attacks on the defense industry in which they used ThreatNeedle malware belonging to the Manuscrypt cluster. As a result, the attackers managed to overcome the network segmentation and gain access to confidential information. Enterprises from Russia were among the victims of the attacks. There were also registered calls to the infrastructure of cybercriminals from Europe, North America, the Middle East and Asia, which may indicate possible victims in these regions.

Lazarus has been operating since at least 2009, organizing large-scale cyber espionage campaigns, operations using ransomware and even attacks on the cryptocurrency market. In recent years, the group has focused on attacks on financial institutions around the world. However, since the beginning of 2020, defense industry enterprises have been among the targets of attackers.

Kaspersky Lab was able to investigate the attack in more detail when one of the affected organizations asked for help. The company's experts discovered the ThreatNeedle backdoor on the network, previously seen in the Lazarus attacks on cryptocurrency companies.

The initial infection occurred through spear phishing: attackers sent letters with malicious Microsoft Word documents or links to such documents hosted on a remote server. The cybercriminals have relied on an urgent topic - the prevention and diagnosis of coronavirus infection. The letters were allegedly written on behalf of an employee of a medical center that is part of the attacked organization.

If a user opened a malicious document and allowed macros to run, the malware proceeded to a multi-stage deployment procedure. After installing ThreatNeedle, attackers gained almost complete control over the device.

One of the most interesting details of this campaign relates to how attackers overcame network segmentation. The network of the attacked enterprise was divided into two segments: corporate (a network whose computers have access to the Internet) and isolated (a network whose computers contain confidential data and do not have access to the Internet). Moreover, according to security policies, any transfer of information between these segments is prohibited, that is, they must be completely separated. However, in reality, administrators were able to connect to both segments to configure and provide technical support to users in both zones. Attackers managed to obtain credentials from a router used by administrators to connect to isolated and corporate networks. By changing its settings and installing additional software on it, they were able to turn it into hosting malware on the enterprise network. After that, the router was used to penetrate the isolated segment, output data from it and send it to the C&C server.

“Lazarus was arguably the most active cyber group in 2020, and it seems to remain so. In January 2021, the Google Threat Analysis Team reported that Lazarus is using the same backdoor to attack cybersecurity researchers. We believe we will see ThreatNeedle more than once in the future and will continue to monitor this backdoor, ”said Seongsu Park, senior expert at GReAT.

“Lazarus is not only an overactive group, but also a very advanced one. Attackers not only overcame network segmentation, but also conducted extensive research to create personalized and effective phishing emails and customized tools to transfer stolen information to a remote server. Businesses need to take additional security measures to defend against these types of cyber espionage campaigns, ”adds Vyacheslav Kopeytsev, senior expert at Kaspersky ICS CERT.

Previous Post Next Post