A new cyber attack campaign launched by North Korean APT Lazarus Group is targeting the military defense industry. Lazarus weaponized two documents related to job opportunities from Lockheed Martin in the spear phishing attack. The discovery was made January 18, 2022. Here’s what you need to know:

What might the hackers be looking for?

North Korea has a long history of offensive Cyber operations and has typically focused on three strategic objectives: revenue generation, disruption, and espionage. Often, these objectives overlap, and so it’s difficult to know exactly what the strategic goals of a campaign are. However, when we see a defense contractor in the mix, one would be forgiven for thinking that there’s an espionage element involved.

Who is Lazarus?

Lazarus Group is a name for the combined activities for North Korea’s threat actors – often attributed to the Reconnaissance General Bureau. As there’s a lack of standardization in the names of these actors outside of the intel world, they’re sometimes used as a bit of a catchall for North Korea’s offensive cyber operations. You’d know them best for being one of the likely perpetrators of the Sony Hack of 2014 – in fact, they’ve been around for well over a decade.

What should organizations look for in the latest spear phishing attack?

According to Malwarebytes Labs, the attack targets job opportunities from U.S. defense contractor Lockeed Martin using two documents named Lockheed_Martin_JobOpportunities.docx and Salary_Lockheed_Martin_job_opportunities_confidential.doc. The malicious payload is delivered by Windows Update using GitHub as the command and control server. See the Malwarebytes blog post for more information.

How effective can spear phishing attacks be?

Spear phishing is incredibly effective. At Praetorian, we are often retained by clients to test their defenses, and phishing – especially highly targeted phishing – has been a very potent tool in our arsenal. In fact, our hit rate is so good that often defenders will allow us to “assume breach” and start an engagement with the assumption that a malicious payload has been dropped and what to know “what next” – that is, what can someone do once they are actually in. In short, phishing is one of the simplest initial entry points from an attacker. Often, it’s all you need to execute a catastrophic breach.

What can organizations do to protect themselves?

While end user training is important, it’s unfortunately not enough; users tend to be very task-centric, and so a skilled attacker can usually get through. It’s necessary but not sufficient.

The only effective response to phishing is a layered one. Carefully filtering messages and content that enters the company is a start, but it’s not enough – dealing with malicious messages that have already entered the Inbox in the Cloud is also critical. In fact, a whole category of products in this so-called Cloud Email Security Supplements space have sprung up to enhance protection in this area. Other tools, like browser isolation, can help keep malicious content from making it to the desktop.

In addition to perimeter defenses, keeping end user software fully patched is helpful, as is enabling Multi-factor Authentication. However, even with all this and more in place, you should assume that sooner or later you will be successfully phished. Thus, you need systems that can help detect an attacker moving horizontally in your network. Do your best to keep the attackers out, and make sure when they do get in, you can find them quickly.