An unnamed engineering company with energy and military customers was recently the target of a North Korean hacking group that has been operating since at least 2009, researchers said Wednesday.
The Threat Hunter Team at Symantec said the attackers breached the organization in February, probably by using the Log4j vulnerability “on a public-facing VMware View server.” Symantec is attributing the activity to Stonefly, which is also known as DarkSeoul, Operation Troy, Silent Chollima and BlackMine.
Researchers have associated some of Stonefly’s activity with North Korea’s infamous Lazarus Group hackers, who typically deal in high-value cybercrime but also have been linked to cyber-espionage.
In this case, Symantec said Stonefly is sticking with a trend first spotted in 2019: The group prefers “mounting highly selective targeted attacks against targets that could yield intelligence to assist strategically important sectors such as energy, aerospace, and military equipment.”
After the attackers breached the system, they compromised 18 other computers, installing a new version of their “Preft” backdoor and spreading open-source tools for malicious uses, the researchers said. Those included the publicly available 3proxy, WinSCP and Invoke-TheHash.
Ultimately, Stonefly “also deployed what appears to be a custom developed information stealer (infostealer),” Symantec said. That malware creates ZIP files, but it’s unclear if they were ever collected.
“It is possible that the exfiltration functionality was removed and the attackers planned to use an alternative means of exfiltration,” the researchers said.
The researchers did not specify where the company is located.
Symantec traces Stonefly’s activity back to distributed denial-of-service (DDoS) attacks in July 2009 against South Korean, U.S. government, and financial websites. The shift to cyber-espionage in 2019 was firm, the company said, and the February incident has clear hallmarks of Stonefly activity.
“While Stonefly’s tools and tactics continue to evolve, there are some common threads between this recent activity and previous attacks, such as its ongoing development of the Preft backdoor and heavy reliance on open-source tools,” Symantec said.