Lazarus hackers target defense industry with fake Lockheed Martin job offers

Updated: The APT has previously masqueraded as Northrop Grumman and BAE Systems.
Written by Charlie Osborne, Contributing Writer

Lazarus has been tied to a new campaign attacking hopeful job applicants in the defense industry. 

The advanced persistent threat (APT) group has been impersonating Lockheed Martin in the latest operation. The Bethesda, Maryland-based company is involved in aeronautics, military technology, mission systems, and space exploration. 

Lockheed Martin generated $65.4 billion in sales in 2020 and has approximately 114,000 employees worldwide. 

Lazarus is a state-sponsored hacking group with ties to North Korea. The prolific and sophisticated group is generally financially-motivated and is believed to be responsible for serious attacks in the past, beginning with the WannaCry ransomware outbreak, as well as the $80 million heist against Bangladeshi Bank, assaults against freight companies, and South Korean supply chains. 

On February 8, Qualys Senior Engineer of Threat Research Akshat Pradhan revealed a new campaign using Lockheed Martin's name to attack job applicants. 

In a similar way to past activities that abused the reputation of Northrop Grumman and BAE Systems, Lazarus is sending targets phishing documents pretending to offer employment opportunities. 

Also: Arid Viper hackers strike Palestine with political lures and Trojans

The documents, named Lockheed_Martin_JobOpportunities.docx and Salary_Lockheed_Martin_job_opportunities_confidential.doc, contain malicious macros which trigger shellcode to hijack control flow, retrieve decoy documents, and create Scheduled tasks for persistence. 

Living Off the Land Binaries (LOLBins) is also abused to further the compromise of the target machine. However, when the malicious scripts attempted to pull in a further payload, an error was returned -- and so Qualys can't be sure what the final malware package was meant to achieve. 

"We attribute this campaign to Lazarus as there is significant overlap in the macro content, campaign flow, and phishing themes of our identified variants as well as older variants that have been attributed to Lazarus by other vendors," Pradhan says. 

This isn't the first time Lazarus has exploited job candidates or vacancies. F-Secure has previously found samples of phishing emails, masquerading as job offers, that were sent to a system administrator belonging to a targeted cryptocurrency organization.

In related research, Outpost24's Blueliv cybersecurity team has named Lazarus, Cobalt, and FIN7 as the most prevalent threat groups targeting the financial industry today.

Update 14.11GMT: A Lockheed Martin spokesperson told ZDNet:

"While we don't discuss specific threats or responses, we have policies and procedures in place to mitigate the cyber threats to our business, and we remain confident in the integrity of our robust, multi-layered information systems and data security."

The company also has a dedicated fraud resource on its website. 

See also

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards