North Korean Hackers Lure Critical Infrastructure Employees With Fake Jobs

North Korean Hackers Lure Critical Infrastructure Employees With Fake Jobs

September 18, 2024 at 11:14AM

UNC2970, a North Korean threat actor, has been using job-themed lures to distribute new malware to individuals in critical infrastructure sectors. Mandiant reported that UNC2970 targeted individuals in the US, UK, Netherlands, Cyprus, Germany, Sweden, Singapore, Hong Kong, and Australia. The group has been using fake job descriptions to target senior- and manager-level employees.

Based on the meeting notes, here are the key takeaways:

– North Korean threat actor UNC2970 has been using job-themed lures to deliver new malware to individuals working in critical infrastructure sectors.
– Mandiant first detailed UNC2970’s activities in March 2023, after observing the group attempting to deliver malware to security researchers.
– UNC2970 was initially observed targeting media and technology organizations in the US and Europe with job recruitment-themed emails, and has been active since at least June 2022.
– Recent attacks by UNC2970 have targeted individuals in the aerospace and energy sectors in the United States, using job-themed messages to deliver malware to victims.
– The group has engaged with potential victims over email and WhatsApp, claiming to be a recruiter for major companies and sending password-protected archive files containing trojanized documents to victims.
– Mandiant identified the malware chain used in the attacks, involving the deployment of a backdoor named MistPen to download and execute PE files on compromised systems.
– The North Korean cyberspies have modified real job postings to better align with the victim’s profile, targeting senior/manager-level employees to gain access to sensitive and confidential information.

Furthermore, relevant related information includes FBI’s warning about North Korea aggressively hacking cryptocurrency firms, Microsoft’s attribution of North Korean cryptocurrency thefts, and the link of a Windows zero-day attack to North Korea’s Lazarus APT. Additionally, the Justice Department’s disruption of a North Korean ‘laptop farm’ operation is pertinent to the overall context.

Full Article