North Korean hackers target US defence contractors

Palo Alto has identified the attackers as the government-affiliated Lazarus Group

In the wake of the escalating tensions between the USA and North Korea - in a week that saw Donald Trump threaten the isolated nation with "fire and fury" - hackers from the Lazarus Group appear to have struck back, targeting US defence contractors.

Researchers at Palo Alto Networks said that it is 'clear' that the Lazarus Group, which also hacked Sony in 2014 (Operation Blockbuster), is behind the attacks; tools, techniques and procedures are shared between both operations.

'This reuse of macro source code, XOR keys used within the macro to decode implant payloads, and the functional overlap in the payloads the macros write to disk demonstrates the continued use of this tool set by this threat group,' Palo Alto says in its blog post. 'In addition to tool reuse, infrastructure overlaps also exist. URLs used for hosting the malicious documents and IPv4 addresses used for command and control overlap with infrastructure previously used by the group.'

Lazarus is widely accepted to be controlled by the North Korean government; it targets opposing regimes, and has recently become involved in attacking private companies and financial institutions.

In this most recent campaign, the attackers have been using infected Microsoft Office files, distributed through phishing emails and using the same macros as observed before. They are likely hosted on compromised servers, writes Palo Alto.

One difference between this and earlier threats using the same payload is that these documents are written in English, rather than Korean. They describe job openings at various defence contractors, such as Sikorskys Mission Equipment.

When a computer is infected, the hacker(s) would be able to execute commands on the system. Although a basic capability, it would provide a foothold to go on to more dangerous grounds, such as installing additional tools or attempting to spread the infection to other machines in the network.

Palo Alto believes that the threat actors behind the attack will continue to use the same techniques in future campaigns.