A notorious hacking group experts have tied to the North Korean government has targeted an Israeli defense company, according to new research outlining what appears to be one of the group’s first attacks on an Israeli entity.
The unnamed company makes products used in the military and aerospace industries, and the hackers could have been after commercial secrets or more traditional espionage, according to ClearSky, the cybersecurity firm that exposed the operation. The suspected culprit is Lazarus Group, an industry term for a broad set of hackers associated with Pyongyang.
“We cannot be sure what the objective of the attackers [was],” Eyal Sela, head of threat intelligence at ClearSky, told CyberScoop in an email. “[It] could be industrial/commercial espionage but could be military espionage, for example.”
North Korean dictator Kim Jong Un has set ambitious economic goals, and some cybersecurity analysts have predicted he will unleash the Pyongyang-affiliated hackers to meet those deadlines by targeting multinational companies’ trade secrets. The expansion in targeting to include an Israeli defense company would be in keeping with Pyongyang’s track record of turning its hackers on whatever organizations could serve North Korean interests.
The veil was lifted on this campaign after an employee from the Israeli defense company received an email on March 7 in broken Hebrew from a colleague whose account was likely already breached, ClearSky said.
Researchers implicated Lazarus Group because of digital clues including a malicious implant known as Rising Sun that has been attributed to the group.
ClearSky assessed with “medium confidence” that Lazarus was behind the malicious activity. However, researchers said they were basing that on technical evidence and therefore could not rule out a false flag operation posing as Lazarus. Other private-sector experts who wished to stay anonymous helped with detection and analysis of the malicious activity, ClearSky said.
Israeli newspaper Haaretz was first to report on the research.
Analysis of the source code used by the hackers shows that a Korean language setting was enabled and that the malicious attachment was able to bypass the company’s email-filtering protections, as Ido Naor, an Israel-based researcher with Kaspersky Lab, pointed out.
From the source code, it is possible to see that the email was sent internally between two employees, Kr language is accepted and email protection missing the malicious #WinRAR #CVE201820250 attachment. pic.twitter.com/IaDCymZVjQ
— Ido Naor (@IdoNaor1) March 25, 2019
According to ClearSky, the suspected Lazarus operatives looked to leverage a vulnerability in outdated WinRAR file-archiving software that hackers have been exploiting since it was disclosed last month.