An attack campaign with possible ties to North Korea’s Lazarus Group targeted aerospace and military companies in Europe and the Middle East with spear phishing attacks late last year, according to researchers at ESET. The campaign, which the researchers call “Operation In(ter)ception,” used social engineering attacks on LinkedIn to trick employees into opening malware-laden documents.
“To initiate contact, they approached the targets with fictitious job offers using LinkedIn’s messaging feature,” the researchers write. “In order to appear credible, the attackers posed as representatives of well-known, existing companies in the aerospace and defense industry. For each of the targeted companies we investigated, the attackers had created a separate fake LinkedIn account: one impersonating an HR manager from Collins Aerospace (formerly Rockwell Collins), a major US supplier of aerospace and defense products; the other posing as an HR representative of General Dynamics, another large US-based corporation with a similar focus. “
Interestingly, while the attackers’ primary goal was espionage, ESET observed one case in which the attackers used a victim’s email account in an attempt to conduct a business email compromise (BEC) scam. While BEC attacks are usually associated with criminals rather than state-sponsored groups, North Korean cyber actors often conduct financially motivated attacks to generate revenue for their heavily sanctioned regime.
“Among the victim’s emails, the attackers found communication between the victim and a customer regarding an unresolved invoice,” the researchers explain. “They followed up the conversation and urged the customer to pay the invoice, however, to a different bank account than previously agreed, to which the customer responded with some inquiries. As part of this ruse, the attackers registered an identical domain name to that of the compromised company, but on a different top-level domain, and used an email associated with this fake domain for further communication with the targeted customer. The attackers did not respond to the customer’s inquiries and continued to urge them to pay. Instead of paying the invoice, however, the targeted customer reached out to the correct email address of the victim for assistance, thwarting the attackers’ attempt. The victim recognized something was amiss and reported the communication as an incident.”
Sometimes it’s espionage, and sometimes it’s fraud. Recognizing the motive can help recognize the attack. New-school security awareness training can provide your employees with the knowledge they need to thwart targeted social engineering attacks.