Cyber-security firm McAfee publishes details about “Operation North Star
While the world was in the midst of the COVID-19 pandemic, North Korean hackers were targeting the US defense and aerospace sectors with fake job offers in the hopes of infecting employees looking for better opportunities and gaining a foothold on their organizations’ networks.
The attacks began in late March and lasted throughout May 2020, cyber-security firm McAfee said in a report published today.
Tracked under the codename of “Operation North Star,” McAfee said these attacks have been linked to infrastructure and TTPs (Techniques, Tactics, and Procedures) previously associated with Hidden Cobra — an umbrella term the US government uses to describe all North Korean state-sponsored hacking groups.
THE GOOD OL’ FAKE JOB OFFER TRICK
As for the attacks themselves, McAfee said they were run-of-the-mill spear-phishing emails that enticed recipients to open boobytrapped documents containing a possible job offer.
Many hacking groups have leveraged this lure in the past, and North Korean hackers also used it before in attacks against the US defense sector in campaigns that took place in 2017 and 2019, Christiaan Beek, Lead Scientist & Senior Principal Engineer, told ZDNet in an email.
In fact, the 2017 attacks were cited in the US indictment against a North Korean hacker believed to have taken part in the attacks, but also in the creation of the WannaCry ransomware.
But the 2020 attacks also had their variations — namely the malware they delivered and the fact that some victims were also approached via social networks, and not necessarily via email.
The entire infection chain, from contact to how the malware operates, is detailed in summary in the graphic below, and in full glorious technical details in the McAfee report.