Defense Contractor Hacking More Expansive Than First Thought'Operation North Star' Hackers Used Fresh Tools Against Specific Targets
A hacking operation that targeted defense contractors earlier this year was more expansive than first thought, with hackers using never-before-seen malicious tools to target specific victims, according to an updated analysis by security firm McAfee.
In July, McAfee researchers described a sophisticated hacking operation dubbed "Operation North Star," which used fake job offer emails to target employees of aerospace and defense firms. This campaign started on March 31 and appears to have stopped by May 18 (see: North Korean Hackers Targeted US Aerospace, Defense Firms).
The original McAfee analysis found that the Operation North Star campaign used infrastructure, such as domains and phishing emails, that was similar to infrastructure previously deployed by a North Korean-linked hacking group that the U.S. government calls Hidden Cobra and other security researchers refer to as the Lazarus Group (see: US Offers $5 Million Reward for N. Korea Hacker Information).
And while North Korean hackers are suspected, further analysis is needed, the report notes. "This could indicate that either Hidden Cobra is behind Operation North Star or another group is copying the group’s known and established technology and tactics."
McAfee had been able to determine how the hacking group initiated the campaign with spear-phishing emails and social media links targeting specific employees, but further analysis of the command-and-control infrastructure painted an even more complex picture of the campaign. This includes the use of never-before-seen malware implants used against victims and their devices to gather intelligence, according to this week's report.
The McAfee researchers also found that, after gathering data on targets, the hacking group would determine if a certain victim was worth pursuing further by gathering additional intelligence, according to the report.
"What is clear is that the campaign’s objective was to establish a long-term, persistent espionage campaign focused on specific individuals in possession of strategically valuable technology from key countries around the world," McAfee analysts Christiaan Beek and Ryan Sherstobitoff note in the new report.
Operation North Star started with targeted phishing emails aimed at specific employees with particular job titles. The emails contained a malicious attached document that, if opened, started the initial attack. The attached file first attempted to download a Microsoft Word template that contains macros that then installed the malware on the device. The use of the template was a way to avoid security tools and software, according to the original McAfee report.
A further analysis of the attack noted that the hackers compromised and used legitimate web domains hosted in the U.S. and Italy as part of the command-and-control infrastructure, according to McAfee.
"These otherwise benign domains belonged to organizations in a wide variety of fields, from an apparel manufacturer, to an auction house, to a printing company, to an IT training firm," Beek and Sherstobitoff note in the report. "Using these domains to conduct [command-and-control] operations likely allowed them to bypass some organizations' security measures because most organizations do not block trusted websites."
Once a device was compromised, the hackers used malicious DOTM files, which created templates of Word documents, to gather initial intelligence about the device, such as disk information, free disk space data and the name of the PC, as well as the username and other process information, according to the report.
This data was gathered and then sent back to the command-and-control server and evaluated by the hacking group, according to the report. If the target was deemed worthy, a second malware implant, called Torisma, was then installed on the compromised device.
Torisma is a never-before-seen, custom-developed, second-stage malware implant designed to monitor a high-value target's device and files, the report states.
"Once installed, it would execute custom shellcode and run a custom set of actions depending on the victim systems' profiles," Beek and Sherstobitoff note. "The actions included active monitoring of the systems and execution of payloads based on observed events. For instance, it would monitor for an increase in the number of logical drives and remote desktop sessions."
The goal of the malware and selection process was to ensure long-term persistence and to ensure that targets that had access to the most important data were monitored, according to the report.
"The detailed job descriptions used to lure victims and the selective use of the Torisma implant suggest that the attackers were pursuing very specific intellectual property and other confidential information from very specific defense technology providers," according to the report. "Less valuable victims were sidelined to be monitored silently over an extended period of time until they become more valuable."
Expanded List of Victims
In the original McAfee analysis, Operation North Star appeared to target U.S. defense and aerospace firms. The updated analysis, however, shows a much more expanded list of potential victims, according to this week's report.
For instance, the original spear-phishing emails were written in Korean and included details about politics and other current events in South Korea. A further look at various IP addresses associated with the campaign shows that companies and employees in Russia, Israel, India and Australia were also targeted, according to the report.
"The campaign’s technologies and tactics - the installation of data gathering and system monitoring implants - suggests that the adversary is in a position to remain persistent, conduct surveillance on and exfiltrate sensitive data from its defense sector victims," the report states.
Other security firms have noted similar tactics used by suspected North Korean hackers to target defense firms.
In August, ClearSky found spear-phishing emails and fake LinkedIn posts used to target employees at these types of companies. The malware used in this campaign was also similar to variants previously associated with Hidden Cobra (see: North Korean Hackers Wage Job-Themed Spear-Phishing Attacks).