An espionage campaign from North Korea’s Lazarus Group that was previously uncovered by Google researchers has now turned its attention to chemical sector organizations in South Korea, according to a report from cybersecurity company Symantec.
Google released a report in March identifying two North Korean government hacking campaigns that exploited Google Chrome 0-day CVE-2022-0609.
One of them – Operation Dream Job – had been running since at least August 2020 and most recently targeted over 250 individuals working for 10 different news media, domain registrars, web hosting providers and software vendors.
The campaign saw hackers send emails claiming to come from recruiters at Disney, Google and Oracle with fake potential job opportunities. The emails contained links spoofing legitimate job hunting websites like Indeed and ZipRecruiter, according to Google Threat Analysis Group’s Adam Weidemann.
The Threat Hunter Team at Symantec said Operation Dream Job has now been expanded to target chemical and IT sector organizations in South Korea.
They were able to tie the activity to Operation Dream Job based on file hashes, file names, and tools that were observed in previous Dream Job campaigns.
“The Lazarus group is likely targeting organizations in the chemical sector to obtain intellectual property to further North Korea’s own pursuits in this area,” Symantec explained.
“The group’s continuation of Operation Dream Job, as witnessed by Symantec and others, suggests that the operation is sufficiently successful.”
The company noted that the typical attack starts with a malicious link in an email and kicks off a chain of events that eventually allows the hackers to get into a system and move laterally within a network using Windows Management Instrumentation (WMI).
“In some instances, the attackers were spotted dumping credentials from the registry, installing a BAT file in a likely effort to gain persistence, and using a scheduled task configured to run as a specific user. The attackers were also observed deploying post-compromise tools, including a tool used to take screenshots of web pages viewed on the compromised machine at set intervals (SiteShoter),” Symantec said.
“They were also seen using an IP logging tool (IP Logger), a protocol used to turn computers on remotely (WakeOnLAN), a file and directory copier (FastCopy), and the File Transfer Protocol (FTP) executed under the MagicLine process.”
They provided a detailed case study of one intrusion that ran from January 17 to January 20.
On Thursday, the US Treasury’s Office of Foreign Assets Control (OFAC) attributed one of the largest decentralized finance (DeFi) hacks ever to the Lazarus Group and sanctioned the group.
Chainalysis, a company that tracks illegal blockchain transactions, said in a January report that hackers working for the North Korean government and the Lazarus Group are believed to have stolen almost $400 million worth of cryptocurrency from seven hacked companies throughout 2021.