Threat Management, Threat Intelligence

North Korea attacks targeting defense workers more covert than previously thought

McAfee researchers announced Thursday that an espionage campaign targeting defense and aerospace contractors using job offers on LinkedIn covered a broader geographic area than previously thought.

The campaign, called Operation North Star, was first reported by McAfee over the summer. The attacks showed similar tactics, techniques and procedures to the North Korean actor Hidden Cobra and targeted South Korean firms. The campaign phished employees by copying job opportunities from legitimate websites and crafting lures that were diligently tailored to the targets.

The new deep-dive from McAfee is based on access to a command and control server used by the campaign. It expands that geographic base to Russia, India, Australia and Israel. It also uncovered a previously unreported second stage implant – "Torisma" – being used in the campaign. But, said McAfee chief scientist Raj Samani, the most interesting new discovery might be the lengths Operation North Star went to protect itself.

"They were very conscious of the operational security," he told SC Media. "If anyone fell outside an allow list opened one of the word files, it would not attack."

If someone forwarded a job opportunity to a friend in need of work, for example, Operation North Star would turn down the easy target.

"This was not an attack of opportunism. This was an attack against specific victims," he said.

As SC Media reported in August, the campaign used malicious documents to install malware on the targeted system using what’s known as a template injection attack. This technique lets a weaponized document download an external Word template containing macros that are later executed. Samani said at the time that bad threat actors use template injection attacks to bypass static malicious document analysis, as well as detection, adding that malicious macros are embedded in the downloaded template.

The campaign itself might be a good teachable example for chief information security officers to use with employees about spear-phishing and social media, said Samani. It's one he's used for trainings.

"Nobody is going to turn to their IT department and say 'I was looking for a new job and opened this file that I think might be a problem,'" said Samani. "CISOs need to show employees they could easily be fooled by fake profiles and that it is not just the office who is a target. You are the target."

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.