An investigation into the APT Lazarus group and its attack on defense sector companies was presented at ESET World 2022. ESET telemetry reveals that the targets were in Europe (including Italy), the Middle East and Latin America. LinkedIn and WhatsApp used for fake recruiting campaigns. According to the US government, Lazarus is linked to the North Korean regime
During the annual ESET World conference, researchers from ESET, a global European leader in the cybersecurity market, have presented a new investigation into the infamous APT Lazarus group. Jean-Ian Boutin, Director of ESET Threat Research analyzed several new campaigns perpetrated by the Lazarus Group against defense companies around the world between late 2021 and March 2022.
In attacks in 2021-2022, according to ESET telemetry, Lazarus targeted companies in Europe (France, Italy, Germany, the Netherlands, Poland and Ukraine) and in Latin America (Brazil).
While the primary goal of this operation was cyber espionage, the group also unsuccessfully attempted to exfiltrate money. "The Lazarus group showed ingenuity by deploying an interesting set of tools, including for example a user-mode component capable of exploiting a vulnerable Dell driver to write to kernel memory. This trick was used in an attempt to bypass security monitoring," he says Jean-Ian Boutin.
Already in 2020, ESET researchers documented a campaign conducted by a subgroup of Lazarus against European aerospace and defense companies, calling it Operation In(ter)ception. This campaign was significant because it used social media, specifically LinkedIn, to build trust between the attacker and an unsuspecting employee before sending them malicious components disguised as job documents or applications. At the time, companies in Brazil, the Czech Republic, Qatar, Türkiye and Ukraine had already been affected.
ESET researchers believed that the action was primarily aimed at attacking European companies, but by following a series of subgroups of Lazarus running similar campaigns against defense companies, they soon realized that the campaign was much broader. Although the malware used in the various campaigns was different, the initial modus operandi always remained the same: a fake recruiter contacted an employee through LinkedIn and ultimately sent malicious components.
While the method of operation remains unchanged, ESET researchers also documented the reuse of elements of legitimate hiring campaigns to add credibility to those conducted by fake recruiters. For these activities, attackers also exploited services such as WhatsApp or Slack.
In 2021, the United States Department of Justice indicted three North Korean military programmers on cyberattack charges. According to the US government, they belonged to the North Korean military hacking unit known in the infosec community as the Lazarus Group.
In addition to the new research on Lazarus, ESET, during its annual conference, presented “Past and Present Cyberwar in Ukraine“. Robert Lipovský, ESET researcher, took an in-depth look at the cyber war related to the conflict between Russia and Ukraine, including the latest attempt to compromise the country's power grid using Industroyer2 and various wiper attacks.
At ESET World, former commander of the International Space Station, Canadian astronaut Chris Hadfield, a key figure in ESET's Progress.Protected campaign, joined ESET CEO Richard Marko to discuss the complexities of technology, science and life.
