North Korea was behind the foiled hack into the heart of Israel’s defense establishment

The attack is part of an ongoing campaign by the notorious Lazarus Group trying to steal data and money in the service of Pyongyang

Raphael Kahan 09:5213.08.20
A cyber attack targeting Israeli defense industry employees which was foiled by the ministry of defense was found to be part of an ongoing offensive campaign by the Lazarus Group. The group’s activities are linked to the North Korean government and many cyber experts have for years been treating it as a branch of the rogue state’s spy agency. According to people in the Israeli cyber industry who spoke to Calcalist on condition of anonymity, the group has been conducting its campaign for the last two years and its targets include states in Western Europe, Chile, and Asian countries.


According to the defense ministry, which successfully thwarted the campaign, the attackers approached employees in various defense companies through LinkedIn offering tempting job opportunities with the aim of hacking into their computer networks and gathering sensitive information.

The hackers, according to the ministry, used various techniques to entice their potential victims, including "social engineering" and impersonating human resources executives in multinational companies. “For the purpose of the attack, the hackers used legitimate websites of other companies and industries, without the companies’ knowledge,” the ministry said in a statement.


Israel's Ministry of Defense building in Tel Aviv. Photo: Bar Tal Shalom Israel's Ministry of Defense building in Tel Aviv. Photo: Bar Tal Shalom
The current campaign that targeted Israel, was identified several months ago by Slovakia-based cyber company ESET, which handed its findings to the appropriate authorities. Lazarus Group attacks seek to steal information and money. Its activities are a way to infuse Pyongyang with foreign currency. The reason they chose LinkedIn is that it is easy to relay messages through the social network and embed malware into documents that are shared on it.


In recent years several weaknesses in LinkedIn’s security mechanisms were revealed, which were in turn remedied. It is not clear if the current campaign took advantage of those weaknesses or newer ones that have yet to have been fixed. According to ESET’s cyber experts, the files were transferred directly via LinkedIn or via emails containing OneDrive links. The hackers created customized email accounts that matched their fake LinkedIn posts.


As soon as the recipient opened the file of an innocent-looking PDF document showing information on the wages proposed for the fake position, the malware was installed on the victim’s computer, providing an initial foothold in the company’s computer systems. Next, the hackers carried out targeted attacks on European aviation and space companies. Among the tools they used was a multi-stage, personalized application that posed as a legitimate software tool as well as various versions of development tools. They also misused Windows services to carry out additional actions.


LinkedIn's mobile app. Photo: Shutterstock LinkedIn's mobile app. Photo: Shutterstock
“The attacks we investigated displayed all the signs of espionage with several clues indicating a possible link to the notorious Lazarus Group. However, neither analysis of the malware, nor our investigation provided insights as to which files the hackers were targeting,” the company added.


The company said that in addition to the spying activities, ESET researchers also found evidence that the hackers attempted to use the hacked accounts in order to steal money from other companies.