North Korea Hacker Group Targets Nuclear Engineers & Defense Industry
Lazarus Group Conducts 'Operation Dream Job'
Overt Operator
October 20, 2023
The North Korea-linked Lazarus Group, also known as Hidden Cobra or TEMP. Hermit, has been conducting a long-running campaign called Operation Dream Job, targeting the defense industry and nuclear engineers. According to Kaspersky's APT trends report for Q3 2023, the threat actor tricks job seekers on social media into opening malicious apps for fake job interviews.
To avoid detection by behavior-based security solutions, the Lazarus Group uses trojanized versions of Virtual Network Computing (VNC) apps as lures. These backdoored applications remain dormant until the user selects a server from the drop-down menu of the Trojanized VNC client, activating the malware discreetly.
Once launched, the counterfeit app retrieves additional payloads, including a Lazarus Group malware called LPEClient. This malware can profile compromised hosts, providing the hackers with valuable information. The group also deploys an updated version of COPPERHEDGE, a backdoor known for running arbitrary commands, performing system reconnaissance, and exfiltrating data. In addition, bespoke malware is used to transmit files of interest to a remote server.
The primary targets of Operation Dream Job are businesses directly involved in defense manufacturing, such as radar systems, unmanned aerial vehicles (UAVs), military vehicles, ships, weaponry, and maritime companies. These industries play a crucial role in national security, making them attractive targets for state-sponsored hacking groups like Lazarus Group.
The modus operandi of Operation Dream Job involves contacting potential targets through suspicious accounts on platforms like LinkedIn, Telegram, and WhatsApp. The hackers pose as recruiters offering lucrative job opportunities to trick unsuspecting victims into installing malware. This tactic allows the Lazarus Group to gain unauthorized access to the target's network and steal sensitive information.
In a recent attack revealed by ESET, Lazarus Group targeted an aerospace company in Spain. The employees of the company received messages from fake recruiters, leading to the installation of malware on their systems. This incident highlights the global reach of Operation Dream Job and the ever-evolving tactics employed by the Lazarus Group.
Organizations in the defense industry and nuclear engineering sector need to be vigilant and take proactive measures to protect their networks against such sophisticated attacks. Implementing robust security solutions, regularly updating software, and educating employees about the risks of social engineering tactics are crucial steps in mitigating the threat.
As the Lazarus Group continues to evolve its techniques and target high-value industries, governments and cybersecurity organizations need to work together to track and disrupt their operations. By sharing intelligence and implementing effective countermeasures, we can protect critical infrastructure and safeguard national security interests.