The North Korean cyber-espionage group known as the Lazarus Group has been busy hacking US defense contractors, according to a report published on Monday by security research firm Palo Alto Networks.
The attacks are a continuation of a series of operations Lazarus Group had set in motion in April 2017, described in a separate report here.
Those attacks were aimed at South Korean organizations, but recently Lazarus Group had switched to US defense contractors, most likely in connection to the rising political tensions between the two countries, driven by inflammatory statements from both US President Donald Trump and North Korean leader Kim Jong-un.
While Trump threatened North Korea with nuclear retaliation on Twitter, Lazarus Group — believed to be a division of North Korea's state intelligence — had been busy sending specially crafted spear-phishing emails to employees at US defense contractors.
The emails came with attached Word documents that posed as job role descriptions and internal policies. Attackers lured employees at the targeted organizations into reading the documents as part of their normal work routine.
They also tried to trick victims into enabling macros, which would have resulted in the execution of malicious code and the installation of Lazarus Group malware on their PCs. Palo Alto did not elaborate if the attacks were successful.
They did, however, elaborate on the similarities between this campaign and past Lazarus Group operations, leaving little doubt about who was behind the attacks.
Researchers say they found the following similarities between the recent campaign aimed at US defense contractors and past Lazarus operations:
Although we can never eliminate the possibility of false flags in APT research, Lazarus Group's long trail of artifacts left behind from previous hacks, along with the political escalation between the two countries, paint a pretty clear picture of who's behind the attacks.