Kaspersky security researchers have found evidence that the North Korean hacking collective known as Lazarus has added another target to its list of victims: The defense industry, and companies in more than a dozen countries have already been affected.
As previously reported by TechRepublic, Lazarus started off 2021 by targeting security researchers with offers of collaborating on malware research, only to infect victims with malware that could cause the theft of sensitive security-related data. Point3 Security strategist Chloé Messdaghi said the targeting of security researchers appeared to be an attempt to gain a foothold with people who have government connections, but the reason Lazarus was targeting them is unknown.
This latest attack aimed at defense industry companies is just the latest pivot for Lazarus, which has been active and dangerous since at least 2009, Kaspersky said. Along with targeting security analysts, Lazarus has also been linked to ransomware campaigns, cyberespionage and attacks against the cryptocurrency market.
Kaspersky said it was made aware of this attack during an incident response that led to the discovery of a backdoor that researchers named ThreatNeedle. The backdoor moves laterally through infected networks with the goal of extracting confidential information and sending it to the attackers.
ThreatNeedle is delivered to targets via spearphishing campaigns that include infected Word documents and are written to sound urgent, frequently citing COVID-19 updates from medical centers. Once the document is opened, ThreatNeedle is installed, allowing the attacker to manipulate the infected machine and execute remote commands.
Kaspersky said that Lazarus is the source because ThreatNeedle belongs to the Manuscrypt malware family, which itself belongs to Lazarus and was used in previous attacks from the North Korean group. Interestingly enough, said Kaspersky senior security researcher Seongsu Park, ThreatNeedle uses the same backdoor that targeted security researchers in early 2021. “We expect to see more of ThreatNeedle in the future, and we will be keeping an eye out,” Park said.
ThreatNeedle may initially sound like the average laterally moving backdoor malware, but it’s anything but: This particular variety has been found to be capable of jumping between internet-facing office networks and restricted access operational technology (OT) networks where mission-critical hardware lives.
According to policies in victim companies, Kaspersky said, no information should be able to be transferred between the two networks, though administrators did have the ability to connect to both for maintenance purposes. “Lazarus was able to obtain control of administrator workstations and then set up a malicious gateway to attack the restricted network and to steal and extract confidential data from there,” Kaspersky said.
“Not only were they able to overcome network segmentation, but they did extensive research to create highly personalized and effective spearphishing emails and built custom tools to extract the stolen information to a remote server. With industries still dealing with remote work and, thus, still more vulnerable, it is important that organizations take extra security precautions to safeguard against these types of advanced attacks,” said Kaspersky security expert Vyacheslav Kopeytsev.
Precautions that organizations should take, Kaspersky suggests, include:
- Providing staff with cybersecurity hygiene training and making them aware of internal security policies,
- Completely segmenting OT networks from IT networks,
- Providing security teams with up-to-date threat intelligence,
- Implement dedicated OT network security including traffic monitoring, analysis, and threat detection.