The North Korea-aligned APT group, Lazarus, has been observed targeting several companies in Europe’s defense industry with a new wave of the Operation Dreamjob cyberespionage campaign.
According to researchers at ESET, some of the targeted organizations are heavily involved in the Unmanned Aerial Vehicle (UAV) sector, which suggests that the campaign may be linked to North Korea’s current efforts to develop its own drone program.
“We believe that it is likely that Operation DreamJob was—at least partially—aimed at stealing proprietary information, and manufacturing know-how, regarding UAVs. The drone mention observed in one of the droppers significantly reinforces this hypothesis,” says ESET researcher Peter Kálnai, who discovered and analyzed the attacks.
However, at the time of the observed attacks, North Korean soldiers were deployed in Russia to reportedly support Moscow’s attempts to repel a Ukraine offensive in the Kursk region. As such, it’s also possible that the APT group was collecting sensitive information on Western-made weapons systems being used in the Russia-Ukraine war.
“We have found evidence that one of the targeted entities is involved in the production of at least two UAV models that are currently employed in Ukraine, and which North Korea may have encountered on the front line,” explains ESET cyberthreat analyst Alexis Rapin.
An Offer You Can’t Refuse
During the Operation Dreamjob campaign, the adversary gains access by sending victims an attractive job offer (aka “dream job”) that, unfortunately, is too good to be true. Victims are manipulated into installing a trojanized PDF viewer in order to open documents pertaining to the “opportunity.” Once installed, the malicious payload enables attackers to gain full remote access of the victim’s machine.
“We believe the key element to Lazarus group’s success is their persistence,” Kálnai told Expert Insights. “While Lazarus is often perceived as highly advanced, their initial access attempts frequently utilize (low-cost) social engineering techniques.”
Unfortunately, this type of social engineering is highly effective for three main reasons. Firstly, it targets a subset of particularly susceptible individuals—jobseekers. Secondly, there is a lack of awareness amongst end users, as security awareness training programs typically don’t cover suspicious/malicious hiring processes and victims will likely encounter these attacks during their personal lives, rather than in a corporate environment where they may be more likely to be thinking about security. And finally, it is a relatively low-effort and low-cost method that can be carried out at scale.
“We draw parallels to the significant campaign targeting Lockheed Martin in 2016-2017,” Kálnai adds. “As detailed in the 2018 FBI criminal complaint, a North Korean state-sponsored actor (represented in the indictment as Park Jin Hyok) pursued the defense contractor’s network for approximately one year. The attempt was ultimately unsuccessful—a reflection of the target’s industry-leading internal security and resources.”
