A well-known North Korean state-sponsored hacking group is reportedly involved in a new, sophisticated espionage campaign aimed at extracting sensitive data from defense-related organizations. Recent insights from Kaspersky highlight that the attacks are confidently attributed to the Lazarus Group, indicating a strategic shift beyond conventional financially-motivated crimes, which have typically financed the regime’s initiatives.
This enhancement in operational strategy appears to have commenced in early 2020, utilizing a tool known as ThreatNeedle. Researchers Vyacheslav Kopeytsev and Seongsu Park detailed the campaign, revealing a methodical multi-step approach that initiates with meticulously crafted spear-phishing attempts, eventually allowing attackers remote control of compromised devices.
ThreatNeedle is disseminated through COVID-themed phishing emails that contain harmful Microsoft Word attachments. Once the attachments are opened, a macro runs, embedding malicious code designed to download further payloads onto the infected system. Following this initial breach, the malware operates by embedding its capabilities within a Windows backdoor, facilitating reconnaissance and lateral movement within the network for data exfiltration.
“Once installed, ThreatNeedle gains comprehensive access to the victim’s device, enabling it to manipulate files and execute commands,” Kaspersky’s security researchers stated. The research also identifies similarities between ThreatNeedle and another malware family, Manuscrypt, employed in earlier Lazarus Group campaigns targeting sectors such as cryptocurrency and gaming.
Interestingly, Manuscrypt was notably employed in a recent Lazarus operation targeting the cybersecurity sector. This operation aimed at enticing cybersecurity professionals to collaborate, only to infect them with malware that could harvest their vulnerabilities for future attacks.
Concerning developments also include the attackers successfully bypassing network segmentation by gaining access to an internal router, configuring it as a proxy server. This technique enables the exfiltration of stolen data from the isolated intranet to external servers. Kaspersky reported that impacted organizations span across various countries, indicating the broad scope of this threat.
Among the noted spear-phishing attempts, at least one email was written in Russian, while another included a malicious attachment labeled “Boeing_AERO_GS.docx,” suggesting potential targets in the U.S. Earlier this month, three hackers linked to North Korean military intelligence were indicted by the U.S. Justice Department for allegedly attempting to extort approximately $1.3 billion in cryptocurrency and cash globally.
As indicated by Kaspersky’s research, the Lazarus Group’s emphasis appears to be shifting from predominantly targeting financial institutions to a more aggressive focus on the defense sector since early 2020. The previously utilized ThreatNeedle malware, originally aimed at cryptocurrency operations, is now being actively deployed for cyber espionage.
