North Korean hackers target defense industry with custom malware

[mood]

North Korean hackers target defense industry with custom malware

 

 

A North Korean-backed hacking group has targeted the defense industry with custom backdoor malware dubbed ThreatNeedle since early 2020 with the end goal of collecting highly sensitive information.

 

This espionage campaign affected organizations from more than a dozen countries and was coordinated by DPRK-backed state hackers tracked as Lazarus Group.

 

The attackers used COVID19-themed spear-phishing emails with malicious attachments or links as the initial access vector to the companies' enterprise network.

 

After the initial compromise, they installed the group's custom-made ThreatNeedle backdoor malware first used in 2018 in attacks targeting cryptocurrency businesses.

"Once installed, ThreatNeedle is able to obtain full control of the victim’s device, meaning it can do everything from manipulating files to executing received commands," Kaspersky security researchers said earlier today.

 

Attack flow (Kaspersky)

 

ThreatNeedle helped the Lazarus hackers to move laterally throughout the defense orgs' networks and harvest sensitive info that got exfiltrated to attacker-controlled servers using a custom tunneling tool via SSH tunnels to remote compromised South Korean servers.

 

The backdoor also allowed them to bypass network segmentation and access restricted networks with mission-critical devices that didn't have Internet access.

"After gaining an initial foothold, the attackers gathered credentials and moved laterally, seeking crucial assets in the victim environment," Kaspersky added.

"We observed how they overcame network segmentation by gaining access to an internal router machine and configuring it as a proxy server, allowing them to exfiltrate stolen data from the intranet network to their remote server."

 

Throughout their attacks, the hackers were also seen stealing documents and data from both office IT networks (from devices used for storing business and customer info) and from restricted networks (commonly used for storing and managing highly sensitive data).

 

The Lazarus operators took control of administrators' workstations which later allowed them to set up malicious gateways that provided them with access to the restricted networks.

 

Campaign timeline (Kaspersky)

 

While the Lazarus Group has been known for focusing its efforts mainly on targeting worldwide financial institutions, starting with early 2020 when this campaign began, they switched their focus on "aggressively attacking" defense industry organizations.

 

After this move, the Lazarus hackers repurposed their ThreatNeedle malware for stealing sensitive information as part of targeted espionage attacks.

"Lazarus was perhaps the most active threat actor of 2020, and it doesn’t appear that this will change anytime soon," said Kaspersky GReAT senior security researcher Seongsu Park.

"In fact, already in January of this year, Google’s Threat Analysis Team reported that Lazarus had been seen using this same backdoor to target security researchers. We expect to see more of ThreatNeedle in the future, and we will be keeping an eye out."

 

The Lazarus hackers are also tracked as HIDDEN COBRA by the United States Intelligence Community).

 

They are a well-known financially motivated cybercrime group as shown by their campaigns — they hacked Sony Films as part of Operation Blockbuster in 2014 and were behind the 2017 global WannaCry ransomware campaign.

 

 

Source: North Korean hackers target defense industry with custom malware

[aum]

North Korean Hackers Targeting Defense Firms with ThreatNeedle Malware

 

 

A prolific North Korean state-sponsored hacking group has been tied to a new ongoing espionage campaign aimed at exfiltrating sensitive information from organizations in the defense industry.

 

Attributing the attacks with high confidence to the Lazarus Group, the new findings from Kaspersky signal an expansion of the APT actor's tactics by going beyond the usual gamut of financially-motivated crimes to fund the cash-strapped regime.

 

This broadening of its strategic interests happened in early 2020 by leveraging a tool called ThreatNeedle, researchers Vyacheslav Kopeytsev and Seongsu Park said in a Thursday write-up.

 

At a high level, the campaign leverages a multi-step approach that begins with a carefully crafted spear-phishing attack leading eventually to the attackers gaining remote control over the devices.

 

ThreatNeedle is delivered to targets via COVID-themed emails with malicious Microsoft Word attachments as initial infection vectors that, when opened, run a macro containing malicious code designed to download and execute additional payloads on the infected system.

 

The next-stage malware functions by embedding its malicious capabilities inside a Windows backdoor that offers features for initial reconnaissance and deploying malware for lateral movement and data exfiltration.

 

"Once installed, ThreatNeedle is able to obtain full control of the victim's device, meaning it can do everything from manipulating files to executing received commands," Kaspersky security researchers said.

 

Kaspersky found overlaps between ThreatNeedle and another malware family called Manuscrypt that has been used by Lazarus Group in previous hacking campaigns against the cryptocurrency and mobile games industries, besides uncovering connections with other Lazarus clusters such as AppleJeus, DeathNote, and Bookcode.

 

 

Interestingly, Manuscrypt was also deployed in a Lazarus Group operation last month, which involved targeting the cybersecurity community with opportunities to collaborate on vulnerability research, only to infect victims with malware that could cause the theft of exploits developed by the researchers for possibly undisclosed vulnerabilities, thereby using them to stage further attacks on vulnerable targets of their choice.

 

Perhaps the most concerning of the development is a technique adopted by the attackers to bypass network segmentation protections in an unnamed enterprise network by "gaining access to an internal router machine and configuring it as a proxy server, allowing them to exfiltrate stolen data from the intranet network to their remote server."

 

The cybersecurity firm said organizations in more than a dozen countries have been affected to date.

 

At least one of the spear-phishing emails referenced in the report is written in Russian, while another message came with a malicious file attachment named "Boeing_AERO_GS.docx," possibly implying a U.S. target.

 

Earlier this month, three North Korean hackers associated with the military intelligence division of North Korea were indicted by the U.S. Justice Department for allegedly taking part in a criminal conspiracy that attempted to extort $1.3 billion in cryptocurrency and cash from banks and other organizations around the world.

 

"In recent years, the Lazarus group has focused on attacking financial institutions around the world," the researchers concluded. "However, beginning in early 2020, they focused on aggressively attacking the defense industry."

 

"While Lazarus has also previously utilized the ThreatNeedle malware used in this attack when targeting cryptocurrency businesses, it is currently being actively used in cyberespionage attacks."

 

Source