North Korea's state hackers caught engaging in BEC scams

ESET researchers said they spotted North Korean state-sponsored hackers attempting to steal money from targets they initially breached for cyber-espionage purposes.

north-korea-reportedly-stole-2b-in-wave-5d4d934316e22d00012a3ac5-1-aug-13-2019-12-43-01-poster.jpg

Special feature

Cyberwar and the Future of Cybersecurity

Today's security threats have expanded in scope and seriousness. There can now be millions -- or even billions -- of dollars at risk when information security isn't handled properly.

Read More

At the ESET Virtual World security conference on Tuesday, security researchers from Slovak antivirus maker ESET have disclosed a new operation orchestrated by the Pyongyang regime's infamous state-sponsored hacker crews.

Codenamed "Operation In(ter)ception," this campaign targeted victims for both cyber-espionage and financial theft.

Speaking in a live stream to an audience of thousands, ESET security researcher Jean-Ian Boutin said the attacks have been carried out by members of the Lazarus Group -- codename given by security firms to North Korea's biggest hacking unit, part of the country's intelligence service.

Attacks targeted European aerospace and military companies

Boutin described how Lazarus members used LinkedIn job recruiter profiles and private messages to approach their targets. On the guise of conducting a job interview, victims were given archives to open and view files stored inside that allegedly contained salary and other information about their future jobs.

The ESET researcher says these archives contained malware-infected files that allowed the attackers to gain an initial foothold on the victim's computer.

interception-scheme.png

Image: ESET

Boutin says that once a victim would be infected, the Lazarus hacker would stop the interviewing process, tell the victim they didn't get the job, and proceed to delete the LinkedIn profile immediately after.

But on the infected employee's computer, the hackers would continue to operate using their initial foothold and expand their access inside the hacked company's network.

"We found that the attackers queried the AD (Active Directory) server to obtain the list of employees including administrator accounts, and subsequently performed password brute-force attacks on the administrator accounts," Boutin said.

ESET said that based on malware specific to "Operation In(ter)ception" they found, these attacks appear to have taken place between September and December 2019.

Targets usually included employees working at European aerospace and military companies, most of which were approached with fake job offers at competing or higher-profile companies.

BEC scam attempts

But Boutin said that once hackers gathered all the intelligence and proprietary data files they needed from a hacked company, the intrusion didn't stop there. Instead of erasing their footprints, the hackers moved on to attempting to scam the infected company's business partners.

Boutin said that Lazarus hackers rummaged through the hacked companies email inboxes and looked for unpaid invoices.

"They followed up the conversation and urged the customer to pay
the invoice, however, to a different bank account than previously agreed," the ESET team wrote in a report published today [PDF].

The attempt to defraud the victim's customers, also known as a business email compromise (BEC) scam, was thwarted, ESET said, as business partners usually noticed something off about the hackers' follow-up emails.

In the grand scheme of things, this isn't surprising as North Korean hackers have repeatedly engaged in cyber-heists for the past three years, targeting both banks and cryptocurrency exchanges.

In September 2019, the US Department of the Treasury imposed sanctions on entities associated with North Korea's hacking units, claiming the country was using its hacker groups to steal money and raise funds for Pyongyang's weapons and missile programs.

In addition, the use of LinkedIn for approaching targets has been an old tactic employed by North Korean hackers. In January 2019, the same Lazarus hackers used LinkedIn messages to contact employees working in the banking sector and arrange job interviews via Skype, where victims were given malware-laced files. This is how security researchers believe North Korean hackers breached Redbanc, the company that interconnects the ATM infrastructure of all Chilean banks.