This hacking group is using previously unknown tools to target defence contractors

Researchers have analysed 'Operation North Star' and found that as well as using new techniques, it picks and chooses infected targets to focus on the most valuable.
Written by Danny Palmer, Senior Writer

Hackers used previously unknown tools in a cyber-espionage campaign targeting defence and aerospace companies in a social engineering and phishing campaign that is more widely targeted than first thought.

Researchers at McAfee first detailed Operation North Star earlier this year, but further analysis reveals additional tactics and techniques of the campaign that has almost identical elements to Hidden Cobra – AKA The Lazarus Group – a hacking operation which the US government and others say is working out of North Korea on behalf of the government in Pyongyang.

The campaign is still based around spear-phishing emails and LinkedIn messages that pose as job recruitment messages in an effort to lure victims into opening malicious attachments. Hackers even use legitimate recruitment adverts and documents taken from popular US defence contractor websites to make the emails look more authentic.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

But now additional analysis by McAfee has revealed how the attackers use two stages of malware implants. All targets are compromised with the first stage of malware, which allows attackers to gather data including disk information, free disk space, computer name and logged-in username and process information.

The hackers analyse this information to determine if the victim is of high enough value to continue to with an attack – if the victim isn't deemed important enough, the machine is sidelined while the attackers focus on distributing a second stage malware to victims deemed more worthwhile of attention.

The second stage uses a previously known implant called Torisma, a custom-developed tool focused on specialised monitoring of high-value victims' systems, looking to gain access to login credentials and remote desktop sessions – all while remaining undetected.

"What is clear is that the campaign's objective was to establish a long-term, persistent espionage campaign focused on specific individuals in possession of strategically valuable technology from key countries around the world," McAfee researchers said in a blog post.

For Operation North Star, this meant researching specific target victims and creating custom content to lure victims in, then infecting them with malware in an effort to commit espionage.

SEE: Ransomware victims aren't reporting attacks to police. That's causing a big problem

Initial reporting of the campaign detailed attacks against targets in the US, but those weren't the only ones hackers were looking to compromise – analysis of the attacks has revealed that defence and technology contractors in Israel, Russia, India and Australia have also been targeted by this campaign.

"The actors behind the campaign were more sophisticated than they initially appeared. They are focused and deliberate in what they meant to achieve and more disciplined and patient in executing to achieve their objective," said researchers.

Cyber espionage isn't the only form of cyberattacks that North Korea is involved in; hackers working on behalf of Pyongyang regularly steal cryptocurrency to get around international sanctons. North Korea was also blamed for the WannaCry ransomware outbreak.


Editorial standards