Goal: Financial gain and espionage
October 10, 2024, 10:00 a.m. | Author: Martin J. Kraemer / Editor: Diana Künstler
North Korean hacker groups are said to have increasingly targeted European organizations, including companies in the aerospace and defense industries. A current case shows that actors could expand their attacks on critical infrastructure.
In July, the accidental hiring of a North Korean hacker was reported. He was exposed because he was caught trying to install malware on his first day at work. Thanks to the strict security protocols and vigilance of the information security team, the hacker was exposed within 25 minutes after showing suspicious activity during the onboarding process, preventing unauthorized access to the systems. The FBI warned as early as October 20231 faces the same danger. The agency has since urged victims of DPRK IT workers or those who suspect they have been victimized to report the suspicious activity to the FBI Internet Crime Complaint Center (IC3).
Since then, several organizations across the United States have come forward, representing many industries from large Fortune 500 companies to small businesses. Some published their own reports, while others shared that they too had been affected by similar attacks. That’s not really surprising. Many companies prefer to keep cybersecurity incidents secret, especially when there is no obligation to disclose. They may be able to prove that no data was accessed or stolen. In this case, there is no disclosure requirement under GDPR, NIS2 or other regulations. Many could claim that they want to avoid damage to their image by keeping the incident secret.
The North Korean threat to European companies
So far there have been only a few reports of incidents at European companies similar to those at a German arms company. However, that doesn’t mean that European organizations might not already have several North Korean hackers on their payroll. European companies may already be paying employees to transfer their salaries to North Korean accounts through intermediaries. It is reasonable to assume that organizations in the European Union are also being infiltrated by fake employees in order to bring foreign currency to North Korea.
The North Korean regime and its affiliated hacker groups have targeted organizations in the West in the past, albeit with different goals. A campaign that was discovered about five years ago and the name Operation Dream Job2 initially appeared to be aimed at the defense and aerospace sectors in the United States. Then it turned out that one too Spanish Aerospace and Defense Organization3 was affected. Operation Dream Job used social engineering tactics to gain access to the company’s systems and networks. The goal was and often is financial gain through the use of ransomware.
Lazarus and Kimsuky raise warnings
The Lazarus Group, a cyber espionage group linked to North Korea and Operation Dream Job, often approaches its targets in very convincing ways. The group identifies potential victims within organizations on LinkedIn and approaches them with fake headhunter profiles that are carefully crafted, including curated follower lists, to make them even more credible. Finally, the headhunter asks a potential applicant to read a PDF file with a malicious PDF reader, solve a malicious programming task, or install a malicious VPN client. If the threat actor is successful, they gain access to networks and systems, which can have fatal consequences for an organization, as the incident in Spain demonstrated. After the incident, the German government authority announced a warning message4 out to alert organizations.
CRITICISM in its sights
Martin J. Kraemer ist Cybersecurity Awareness Advocate bei KnowBe4.
What started with a focus on aerospace and defense is now emerging critical infrastructure organizations5 to concentrate. The goal remains the same. Financial gain while simultaneously disrupting foreign states and their organizations. Operation Dream Job continues. In October it was announced that one German organization6 was targeted by the North Korean group “Kimsuky”. In this case, the hackers were unsuccessful, but the North Korean search for information and intellectual property, as well as ways to extort money, continues. The aerospace and defense industries should not be left out of the crosshairs. Given the cases in Spain and Germany, it can be assumed that companies in the rest of Europe have also been targeted.
Read more on the topic
This might also interest you
More articles about KnowBe4
More articles on cyber security
More articles on industrial/OT security
More articles on cyber security solutions
More articles on managed security
More articles on security management
More articles on cybersecurity/cybersecurity
