North Korea is most likely behind a new cyber-espionage campaign targeting US defense and aerospace firms earlier this year, according to McAfee.
The security firm’s Advanced Threat Research (ATR) group said it detected similarities in TTPs with previous campaigns in 2017 and 2019 which were attributed to Hidden Cobra — the umbrella term used to refer to Pyongyang’s Lazarus, Kimsuky, KONNI and APT37 groups.
The new “Operation North Star” attacks, spotted running from March to May, used a fairly rudimentary spear-phishing email featuring legitimate job ads at defense contractors as a lure.
“This recent campaign used malicious documents to install malware on the targeted system using a template injection attack,” McAfee explained.
“This technique allows a weaponized document to download an external Word template containing macros that will be executed. This is a known trick used to bypass static malicious document analysis, as well as detection, as the macros are embedded in the downloaded template.”
According to the report, victims were also targeted via social media.
Compromised infrastructure in European countries was used to host the command and control (C2) servers and distribute implants to targeted machines, it added.
However, the C2 infrastructure wasn’t active at the time of analysis, which limited McAfee’s insight into the campaign. The report also wasn’t able to clarify exactly which organizations were targeted as it wasn’t able to retrieve any of the spear-phishing emails.
McAfee does know that the lures were job ads in engineering and project management positions across various US defense programs, including: F-22 fighter jets, Defense, Space and Security (DSS), photovoltaics for space solar cells and the Aeronautics Integrated Fighter Group.