The prime target of this campaign is officials from military and aerospace organizations.
A new, highly sophisticated espionage campaign targeting military and aerospace organizations across Europe and the Middle East has been discovered by cybersecurity firm ESET’s researchers. The campaigners attempt to lure company employees to extract money and/or sensitive documents.
Dubbed Operation In(ter)caption; the campaign was active from September to December 2019, and espionage is declared the primary objective behind this campaign.
However, it was observed in at least one of the incidents that the attackers tried to access the email account of the victim using a business email compromise (BEC) attack in the final stages of Operation In(ter)caption.
The financial motivation of attackers and the way this campaign has been designed forced ESET researchers to believe that the notorious hacking group from North Korea know as Lazarus is involved. For instance, some of the malicious tools used by the hackers in this campaign are the same that Lazarus hackers had used in the past, for example, the NukeSped backdoor.
Moreover, researchers suspect that the Lazarus Group is backed by the North Korean government as it may need to fund its illegal missile and weapons programs. This assumption is based on the fact that NukeSped was used by North Korean computer operators on Korean-speaking MacOS users previously.
“They were highly targeted and relied on social engineering over LinkedIn and custom, multistage malware. To operate under the radar, the attackers frequently recompiled their malware, abused native Windows utilities, and impersonated legitimate software and companies,” researchers wrote in their report [PDF].
The campaign, ESET researchers explained, starts with flattery. LinkedIn users act as recruiters from Collins Aerospace, which is a subsidiary of Raytheon, and General Dynamics. They send messages to employees associated with different aerospace and defense firms in Europe.
To trap the employees, the recruiters tell them that they are elites and a spot at Collins Aerospace is waiting for them.
In one of the cases, the fake recruiters requested the employee to download files containing salary information, which were sent to them in email, as the recruiters weren’t comfortable conversing in English. However, this was an infected PDF document that helped the attackers break into the employee’s computer.
“Once the contact was established, the attackers snuck malicious files into the communication, disguising them as documents related to the advertised job offer,” the researchers wrote after examining two European companies that were targeted in this campaign.
ESET researcher Boutin states that the attackers used aggressive and persuasive tactics to force their victims into opening malicious documents. When the attackers were able to access the company’s corporate network, they launched a brute-force attack to steal login credentials for administrative accounts.
One of the fake LinkedIn recruiter accounts caught targeting an Aerospace employe on Linked In (Image: ESET)
The nature of files stolen by the attackers is yet unclear and ESET researchers are still trying to evaluate it. However, given the type of companies targeted, the attackers might be after sensitive business and technical information.
To prevent detection, the attackers deleted their LinkedIn profiles and smuggled the stolen files into a Dropbox folder that they were controlling.
Creating fake social media accounts has been the favorite trick of hackers and scammers for interacting with potential victims. However, thanks to Google Search now you can identify if such an account is real or fake by searching the profile picture.
If you are on LinkedIn watch out for scammers aiming at your personal data and targeting your business/company for malicious purpose. Always carry out a background check on the recruiter luring you into lavish job offers.