Threat Management, Threat Intelligence

ThreatNeedle malware tied to year-long North Korean espionage campaign against global defense industry

Researchers at Kasperksy have tied a piece of malware used by Lazarus Group last seen targeting security vulnerability researchers earlier this year to another campaign by the North Korean hacking group focused on pilfering sensitive data from defense contractors across 12 countries since 2020.

Kaspersky researchers Vyacheslav Kopeytsev and Seongsu Park write that the group first gained an initial foothold through spearphishing emails. Many referenced or played off the global COVID-19 pandemic, while other example emails appeared to mimic job postings for defense contractors. Those emails contained a malicious Microsoft Word macro attachment that allowed attackers to deploy malware, which Kaspersky calls ThreatNeedle, that installs a backdoor on victim networks, allowing for lateral movement and exfiltration of sensitive or confidential information.

The final payload is capable of manipulating files and directories, executing received commands, system profiling, putting a device in sleep or hibernation mode and controlling backdoor process and updating backdoor configurations.

Most concerning is that researchers observed how Lazarus hackers were able to bypass at least one unnamed organization’s network segmentation protections. The network was split between a corporate and restricted segments, and the company operated under a strict internal policy of not exchanging information across the two segments.

However, devices with administrator access could connect to both networks to provide IT support. After slowly infecting a host of systems on the corporate side, the attackers gained control of admin devices, including an internal router that could connect to both networks. They reconfigured the router into a proxy server that could be used to infect the restricted network as well, before using a custom exfiltration tool to send the data to attacker controlled servers directly from the company’s intranet.

“Lazarus is not just highly prolific, but highly sophisticated,” said Kopeytsev in a statement. “Not only were they able to overcome network segmentation, but they did extensive research to create highly personalized and effective spear phishing emails and built custom tools to extract the stolen information to a remote server.”

According to Kopeytsev and Park, the code used in ThreatNeedle is part of an advanced version of a larger malware family called Manuscrypt that has been used by Lazarus Group in previous hacking campaigns against the cryptocurrency and mobile games industries. They also found overlaps between ThreatNeedle command and control infrastructure and other malware clusters associated with Lazarus Group, including AppleJeus, DeathNote and Bookcode.

“We have been tracking ThreatNeedle malware for more than two years and are highly confident that this malware cluster is attributed only to the Lazarus group,” the Kaspersky researchers wrote.

The report does not specify which countries or companies were targeted, and it's unclear whether this campaign is related to another discovered in August that used very similar tactics to target IT workers from the defense industry. The report did, however, describe the campaign as “new and previously unknown,” focusing on the defense industry in at least a dozen countries over the past year.

At least one of the spearphishing emails referenced in the report is written in broken Russian, indicating the sender was not a native speaker. Another contains a malicious file attachment named Boeing_AERO_GS.docx, possibly a reference to the U.S. contractor, though it’s not clear if the intended recipient worked at the company.

When contacted by SC Media, the company provided few additional details about the specific organizations affected or the countries impacted. In a response sent by a spokesperson attributed to both Park and Kopeytsev, the company said their investigation is “ongoing”, that they have verified access to the attacker’s infrastructure from 12 countries, that at least one was a Russian defense contractor and that the group “generally targeted military intelligence” from its victims.

If new, it would not be the first or only time hackers have attempted to obtain the military secrets of their geopolitical adversaries by targeting the industries that supply them with weapons, equipment and technology.

In the United States, defense contractors have a range of protocols and requirements around protecting classified information, but even unclassified data holds secrets. As one example, in 2018 Chinese hackers were able to steal 614 gigabytes of research and development data from a defense contractor’s unclassified network related to a supersonic anti-ship submarine missile, including signals and sensor data, details about the cryptographic systems it used and the Navy’s electronic warfare library.

“There’s no question that adversaries, nation state and otherwise, can gain military advantage by unauthorized access to sensitive but unclassified technical information,” Robert Metzger, author of Deliver Uncompromised and an expert in supply chain security issues facing the defense industry, told SC Media.

Such “Controlled Unclassified Information” isn’t technically secret, but often is subject to heightened security requirements by the Department of Defense and National Institute for Standards and Technology, because they can provide valuable insights into U.S. military operations. Metzger said such concerns are more than hypothetical and extend not only to U.S. contractors but allies as well.

“From unclassified technical information, an adversary can learn much about the contributing technologies and operational characteristics of defense systems. They can use that in many nefarious ways,” he said. “For example, they might attempt to mimic and produce their own variants of the stolen technology. Or they might adjust combat doctrines in order to dilute or nullify the advantage of the technology or system had its confidentiality not been compromised by cyber theft. A related and potentially more alarming possibility is that through access to and study of stolen unclassified information, an adversary can find ways to further attack the system so that its operation can be subverted and its functionality compromised.”

Kaspersky’s report also contains indicators of compromise and an appendix on MITRE ATT&CK mapping that defenders can use to detect the presence of ThreatNeedle on their networks.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.