In an investigation by McAfee Advanced Threat Research (ATR), it was found that North Korean actors have been actively posing as recruiters in hopes of infiltrating the networks of aerospace and defense companies in other countries.
The researchers claimed that the months-long spying campaign was also purportedly made to spread malware across the U.S. and Europe.
While the researchers have yet to find the success of the campaign, but they suspected that the attackers have been targeting potential victims using malicious emails with Microsoft Word documents as attachments, packed with alluring career opportunities involving active defense contracts.
"The victimology of these campaigns is not clear at this time, however based on the job descriptions, they appear to be targeting people with skills and experience relating to the content in the lure documents," the report said.
On their report, the researchers at McAfee warned that the goal of this malicious campaign is to plant malware, which makes it possible for the attacker to extract even more data.
This isn't the first time that North Korea has targeted victims in numerous countries with fake job offers.
Back in 2017, a similar campaign was launched by using lure documents with job postings from leading defense contractors. Then in 2019, a criminal complaint from the Department of Justice implicated that state-sponsored actors attempted to breach the American aerospace and defense firm Lockheed Martin using the same method.
The trick didn’t work at that time, but as the researchers have demonstrated, North Korean hackers aren't giving up.
With the method has gotten public exposure, the North Koreans are not any less willing to use that same job-recruitment ploy as their method of attack.
These two incidents have been attributed to the threat actor group known as Hidden Cobra, an umbrella term used to refer to threat groups attributed to North Korea by the U.S Government
Hidden Cobra consists of threat activity from groups the industry labels as Lazarus, Kimsuky, KONNI and APT37.
About the content of the email scam, the hackers are said to have copied and pasted job descriptions found on some defense contractors’ websites, which focus on sensitive work in military surveillance and security programs.
All files that the attackers sent, were created with Word 2016 and had both the English and Korean languages installed.
This analysis into the metadata by the researchers showed strong evidence that the malicious documents were created from a common root document.
These template files contain Visual Basic macro code, that will load a DLL implant onto the victim’s system.
“Human beings are curious and flattered when we receive an interesting job offer from an interesting company,” Christiaan Beek, senior principal engineer and lead scientist at McAfee, said of the hacking campaign.
“If you were to receive a job offer for…a reporting position at an interesting company, wouldn’t you open it, too [after checking the email-headers of the source]?”
To further reach and engage their potential victims, the attackers are also using LinkedIn. This method has been proven successful in the past, as in the late 2018, a group of spies posing as employers on LinkedIn managed to hack into employees at two European aerospace and defense firms.