Lazarus Group logo

The North Korean cyber-espionage group known as the Lazarus Group has been busy hacking US defense contractors, according to a report published on Monday by security research firm Palo Alto Networks.

The attacks are a continuation of a series of operations Lazarus Group had set in motion in April 2017, described in a separate report here.

Those attacks were aimed at South Korean organizations, but recently Lazarus Group had switched to US defense contractors, most likely in connection to the rising political tensions between the two countries, driven by inflammatory statements from both US President Donald Trump and North Korean leader Kim Jong-un.

Defense contractors targeted with spear-phishing campaign

While Trump threatened North Korea with nuclear retaliation on Twitter, Lazarus Group — believed to be a division of North Korea's state intelligence — had been busy sending specially crafted spear-phishing emails to employees at US defense contractors.

The emails came with attached Word documents that posed as job role descriptions and internal policies. Attackers lured employees at the targeted organizations into reading the documents as part of their normal work routine.

They also tried to trick victims into enabling macros, which would have resulted in the execution of malicious code and the installation of Lazarus Group malware on their PCs. Palo Alto did not elaborate if the attacks were successful.

Plenty of clues link attack to Lazarus Group

They did, however, elaborate on the similarities between this campaign and past Lazarus Group operations, leaving little doubt about who was behind the attacks.

Researchers say they found the following similarities between the recent campaign aimed at US defense contractors and past Lazarus operations:

▷ The macro source code was reused from the April 2017 campaign
▷ Attackers used the same XOR encryption key used in April 2017 to decode the malware payloads and infect computers
▷ Similar write-to-disk functionality
▷ Metadata similarities, most likely from the usage of the same automated build tool used to compile the malicious docs
▷ Malware uses the same fake TLS communications to mimic encrypted traffic, a well-known Lazarus Group practice
▷ Server infrastructure overlaps
▷ Malware connects directly to IPv4 addresses instead of resolving domains names
▷ Similar encoded strings within samples, filenames, and contents of batch files embedded within implants

Although we can never eliminate the possibility of false flags in APT research, Lazarus Group's long trail of artifacts left behind from previous hacks, along with the political escalation between the two countries, paint a pretty clear picture of who's behind the attacks.