Germany’s Federal Intelligence Agency (BfV) and South Korea’s National Intelligence Service (NIS) have issued a joint advisory warning of an ongoing cyber-espionage operation conducted by North Korea. This operation specifically targets the global defense sector, aiming to steal advanced military technology information to bolster North Korea’s military capabilities. The advisory outlines two cases attributed to North Korean actors, including the Lazarus group, detailing the tactics, techniques, and procedures (TTPs) employed in these cyber attacks.
In one case, North Korean cyber actors executed a supply-chain attack by compromising the web server maintenance operations of a research center for maritime and shipping technologies. The intruders employed a series of attack steps, including stealing SSH credentials, abusing legitimate tools, lateral movement within the network, and attempting to distribute malicious files via spear-phishing emails. This incident underscores the sophistication and persistence of North Korean cyber threats, as they exploit vulnerabilities in IT services providers to infiltrate well-secured organizations.
The advisory also highlights the use of social engineering tactics by the Lazarus group, known as “Operation Dream Job,” to target employees of defense organizations. Lazarus creates fake online personas and networks with targeted individuals to gain their trust over time. Subsequently, they offer these individuals fake job opportunities and use malicious documents or VPN clients to initiate cyber attacks. These tactics demonstrate the evolving nature of cyber threats and the importance of educating employees about common attack vectors to mitigate risks.
To defend against such cyber threats, the advisory recommends implementing security measures such as limiting access for IT service providers, monitoring access logs for unauthorized activity, and using multi-factor authentication. Additionally, organizations are advised to educate employees about social engineering tactics and adopt the principle of least privilege to restrict access to sensitive systems. These proactive measures are crucial for enhancing cybersecurity resilience and protecting against cyber espionage targeting the global defense sector.
