#### 19 Feb 2024

# Warning of North Korean cyber threats

 targeting the Defense Sector

## Summary

#### The Bundesamt für Verfassungsschutz (BfV) of the Federal Republic of Germany and

 the National Intelligence Service (NIS) of the Republic of Korea (ROK) are issuing a

 second Joint Cyber Security Advisory (CSA) to raise awareness of cyber campaigns

 highly likely carried out by cyber actors of North Korea against the defense sector

 targeting companies and research centers.

 The Democratic People’s Republic of Korea (DPRK) puts high emphasis on military

 strength and focuses on the theft of advanced defense technologies from targets

 around the world. The BfV and NIS assess that the regime is using the military

 technologies to modernize and improve the performance of conventional weapons

 and to develop new strategic weapon systems including ballistic missiles,

 reconnaissance satellites and submarines. DPRK increasingly uses cyber espionage as

 a cost-effective means to obtain military technologies.

 This Joint CSA details DPRK’s tactics, techniques and procedures (TTPs) and Indicators

 of Compromise (IoCs) as well as it introduces two representative cases of intrusions

1


-----

#### into facilities of the defense sector.

 The BfV and NIS attribute hacking incidents, described in this Joint CSA, individually

 to LAZARUS and another allegedly North Korean Cyber threat group. Though the main

 tradecraft of the first cyber actor is known to be spear phishing attacks against

 diplomatic and security experts, it recently appears to expand its targets to the

 defense and financial sectors. The LAZARUS group is a notorious and sophisticated

 cyber actor that has raised international attention for its involvement in a wide range

 of cyber attacks. LAZARUS is known for its advanced capabilities and involvement in

 high-profile incidents, including financial heists, ransomware campaigns, and cyber

 espionage. Successful cyber attacks in the defense sector may pave the way for DPRK

 to strengthening its military by obtaining sensitive and confidential data from across

 the globe.

 Since the cyber actors frequently change their infrastructure and constantly attack

 entities worldwide, the BfV and the NIS anticipate a similar trajectory in the future.

 This Joint CSA is published with the means to strengthen the defense industry in

 particular but also to inform other industry sectors as well as the public.

## Technical Details

#### In the following section two representative cases for systematic attacks against the

 defense sector will be outlined. Based on the TTPs used in attacks, the first case is a

 malicious campaign against a defense research center, and the second describes

 LAZARUS’ procedure of using social-engineering to attack defense companies.

2


-----

### ① Intrusion into a defense research center through a website maintenance

 & repair company

#### The DPRK recently prioritized strengthening its naval power. Therefor it constructed

 a new submarine in Sept. 2023. Before that, end of 2022, a North Korean cyber actor

 intruded systems of a research center for maritime and shipping technologies. The

 cyber actor executed a supply-chain attack, initially infiltrating a supplier for

 maintaining one of the research center’s webservers to subsequently compromise the

 primary target.

 The cyber actor further infiltrated the research facility by deploying remote-control

 malware through a patch management system (PMS) of the research center, and stole

 various account information of business portals and email contents. The authoring

 agencies used MITRE ATT&CK[1] to describe the attack flow.

_Figure 1 - Overview of supply chain attack flow_

1 MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based of real-world
observations.

3


-----

### Attack Flow

 1. The cyber actor breached a company for maintaining webservers of its target and

#### stole SSH access credentials. Then the actor remotely accessed the webserver

 (Linux) of the research center (T1133).

### 2. The actor used legitimate tools including curl, to download additional malicious

#### files from C2 servers such as a tunnelling tool for remote access (Ngrok) and a

 Base64-encoded Python script functioning as a downloader.

### 3. For lateral movement, the cyber actor established an SSH connection to other

#### servers related to the website; collected packets by running tcpdump at the

 servers; obtained additional information about the network; and stole account

 credentials of the target’s employees (T1040, T1046, T1021).

### 4. The cyber actor then used the account information of a security manager and

#### gained access to the email account in order to obtain information regarding an

 operating procedure of the PMS. The actor impersonated the security manager

 and sent an email to the PMS service provider requesting to create a patch file

 with malicious functions. Though the file with malicious code masqueraded as a

 legitimate file, the genuine security manager detected and successfully blocked

 the attempt to distribute the malicious patch file through PMS. The malicious

 code had functions to upload and download files, execute code, and to collect

 system information etc (T1041, T1001, T1071).

4


-----

|Tactics|Techniques|Description|
|---|---|---|
|Initial Access (TA0001)|External Remote Service (T1133)|SSH|
|Execution (TA0002)|Command and scripting interpreter (T1059)|tcpdump, ngrok and curl|
|Persistence (TA0003)|Valid Accounts (T1078)|Server admin account, Email account, SSL-VPN account|
|Defense Evasion (TA0004)|Indicator removal (T1070) Obfuscated Files or Information (T1140)|Files delete, File encryption and decoding|
|Credential Access (TA0006)|Network Sniffing (T1040)|tcpdump|
|Discovery (TA0007)|Network Sniffing (T1040) & Network Service Discovery (T1046)|tcpdump|
|Lateral movement (TA0008)|Remote Services (T1021)|SSH|
|Collection (TA0009)|Data from Information Repositories (T1213)|Website source code, Server configuration information|
|Command and control (TA0011)|Data Obfuscation (T1001) Application Layer Protocol (T1071) Protocol Tunneling (T1572)|AES-256, Use of HTTP protocol, ngrok|
|Exfiltration (TA0010)|Exfiltration Over C2 Channel (T1041)|HTTP C2 server|


### 5. Even after the research center strengthened the security, the cyber actor

#### continued malicious attempts by exploiting a file-upload vulnerability of the

 website and uploading a web shell as well as sending spear phishing emails.

### MITRE ATT&CK Matrix for Enterprise Linux platform(v14)

##### Tactics Techniques Description

 Initial Access (TA0001) External Remote Service (T1133) SSH

 Command and scripting Execution (TA0002) tcpdump, ngrok and curl
 interpreter (T1059)
 Server admin account,
 Persistence (TA0003) Valid Accounts (T1078) Email account,
 SSL-VPN account
 Indicator removal (T1070) Files delete,
 Defense Evasion
 Obfuscated Files or Information File encryption and
 (TA0004)
 (T1140) decoding
 Credential Access
 Network Sniffing (T1040) tcpdump (TA0006)
 Network Sniffing (T1040) &
 Discovery (TA0007) Network Service Discovery tcpdump
 (T1046)
 Lateral movement
 Remote Services (T1021) SSH (TA0008)
 Website source code,
 Data from Information Collection (TA0009) Server configuration
 Repositories (T1213)
 information

 Data Obfuscation (T1001) AES-256,
 Command and control
 Application Layer Protocol (T1071) Use of HTTP protocol,
 (TA0011)
 Protocol Tunneling (T1572) ngrok

 Exfiltration Over C2 Channel Exfiltration (TA0010) HTTP C2 server
 (T1041)

5


-----

### Key findings

#### Rather than a direct compromise of a target system, the cyber actor first conducted

 attacks against one of the research center’s vendors. As it became difficult during the

 COVID pandemic to have onsite maintenance & repair services for server

 infrastructure, remote services were provided instead. However, lacking security

 measures allowed unattended access to servers without access control.

 Usually the cyber actor stops its activity, when detected. However, in this case, even

 after PMS distribution and SSH remote access were blocked, the cyber actor made

 various attempts to maintain persistence, by uploading a web shell to the web page

 and sending spear phishing emails to the target’s employees.

 Furthermore, the actor avoided carrying out a direct attack against its target, which

 maintained a high level of security, but rather made an initial attack against its vendor,

 the maintenance & repair company. This indicates that the actor took advantage of

 the trustful relationship between the two entities.

 Please refer to the Article 26 (Security of Service Providers) of the Basic Guidelines for

 National Intelligence Security of the Republic of Korea for details about

 recommendations for Korean national and public organizations receiving remote

 maintenance and repair services from vendors. German national and public

 organizations can refer to the guidelines OPS.2.1 and OPS.1.2.5 provided by the

 Federal Office for Information Security (BSI).

6


-----

### ② North Korea’s Social Engineering Attacks 

#### In this second case the LAZARUS group’s distinctive skills in social engineering will be

 outlined. Since at least mid-2020 the DPRK took advantage of this attack vector to

 infiltrate defense companies. Due to the fact that in all observed cases the targeted

 employees of the companies received malicious files obfuscated in relation to job

 offers, the campaign soon was referred to as “Operation Dream Job”. Meanwhile for

 more than three years LAZARUS conducted this kind of attack against the defense

 sector and has proven to be an elusive and well-organized actor that poses a

 hazardous threat to not only cyber- but global security.

_Figure 2 - Overview of social engineering attack flow_

### Attack Flow

 In connection with cyber attacks, social engineering is a non-technical method

 that leverages human trust, curiosity, fear, or urgency to achieve malevolent

 goals. Over time it substantiated as a highly effective way to exploit human

 psychology and manipulating individuals into taking actions that could lead to

7


-----

### security compromises. The pervading tendency of social engineering attacks

 could emanate from the fact, that the security measures security operation

 centers (SOCs) nowadays apply, present an almost impregnable barrier for

 cyber actors. Although the LAZARUS group’s technical tactics changed, the social

 engineering strategy remained the same.

 1. As the first step for being able to use social engineering the actor creates a profile

#### on an online job portal. The profiles observed so far have been either a stolen

 profile of an existing person or a profile created with fake data. In both cases the

 profile is designated to look like a headhunter’s profile with a wide spread

 network of contacts to people working in the defense sector. Once the profile

 looks legit the actor continues with the next step.

### 2. The actor searches for possible targets by looking at the profiles of people working

#### for one of the companies of interest. Among these people the actor is looking for

 those who might have access to valuable assets like internal systems.

### 3. Once the actor found an employee suitable as a target, it might add contacts of

#### the target’s social circle to gain trust and reliability. Afterwards a connection to

 the employee is established via the job portal’s messaging service. The

 conversation with the target is initiated and in most cases held in English. The

 business small talk with the employee could last from days to weeks or even

 months and is supposed to establish trust. During this time the target is offered a

 job. Even if the targeted employee is not interested the attacker takes the time to

 persuade the employee, for example by highlighting the generous salary of the

8


-----

#### offered position. Pretending to start a discrete recruitment process the target is

 asked to shift the communication to another channel (i.e. WhatsApp, Telegram,

 Skype, Discord or other).

### 4. If the actor has successfully lured the targeted employee to another

#### communication channel, the actor evolved different approaches to circumvent

 security measures of the target’s employing company.

a. The actor sends a pdf file with a lucrative job offer tailored to the interests of

#### the targeted employee and a pdf reader which contains disguised malware.

b. The actor sends a file with superficial information about the position.

#### Successively if the employee wants to know further details the attacker sends

 a link to a file with in-depth information on the position to the corporate email

 address and makes sure the employee is at work at the time the link is

 provided. The linked file is stored on a cloud-based service and contains the

 first stage of malware.

c. More recently the job offers have been directed to programmers where the

#### actor sends zip files containing an iso image with a coding challenge which has

 to be solved as part of the recruitment process. As soon as the programmer

 executes the challenge, the machine gets infected with the first stage

 malware.

d. Another way the LAZARUS group attempts to get access to the company’s

#### network is by sending a malicious vpn client in a zip file.

9


-----

### Key findings

#### Universally the circumstance that employees usually do not talk to their colleagues or

 employer about job offers, plays into the hands of the attacker. The LAZARUS group

 changed its tools throughout the campaign and demonstrated more than once that it

 is capable of developing whatever is necessary to suit the situation.

## Mitigation

#### Following prevention guidelines in the Joint CSA are based on the observations made

 by the BfV and NIS. 

 Brief your employees on a regular basis about the latest tendencies in cyber attacks.

 This may deepen their understanding of cyber actors’ modus operandi which

 constantly evolves and ensure employees’ proper management when an actual

 intrusion happens.

 Since most of the attacks by North Korea´s cyber units are carried out through social

 engineering and supply-chain attacks, the following precautions shall be taken as

 applicable.

### Precautions against indirect attacks through a vendor

#### • Limit access only to necessary systems when receiving remote maintenance and

 repair services, and authentication shall be performed before user permissions

 and privileges are granted.

 • Store and maintain audit logs including system access records, and monitor them

10


-----

#### on a regular basis to detect an anomalous access.

 • Adopt a proper PMS procedure in order to verify user authentication, and

 implement an adequate verification and confirmation process for the final stage

 of distribution, as it can be easily targeted by malicious cyber actors for supply

 chain attacks.

 • Always implement SSL/TLS when creating a website in order to prevent breaches

 of critical data including account information, even in a situation where logs are

 captured by a cyber actor.

 • In case employees are using a VPN to work from home, a multi-factor

 authentication along with user ID and password authentication is highly

 recommended. In this case it is required to protect critical information including

 one time password (OTP) authentication keys from disclosure to a third party.

 • Please refer to section “Mitigations” of the first BfV-NIS Joint CSA published in

 March 2023 for details about spear phishing prevention guidelines.

### Social Engineering Attacks: Prevention and Best Practices

#### • The best preventive measure to avoid social engineering attacks starts by

 educating personnel about some of the common social engineering tactics. This

 includes vigilance against suspicious password-locked doc files or links and

 establishing an error culture in which employees are encouraged to report

 security incidents without fearing consequences for being a victim of social

 engineering attacks.

11


-----

#### • Another key element to mitigate the risk of social engineering attacks is limiting

 privileges and access to sensitive data only to authorized users.

 • In order to remove vulnerabilities in network systems a strict update and patch

 routine should be established.

 • These prevention guidelines are recommended to be applied to all domestic and

 overseas branches of your organization, including those which may be seen as

 distant from the mainstream.

### Contact

#### Report cyber security incidents or anomalous activity related to state-sponsored cyber

 actors to following organizations.

 ROK organization: 

 National Intelligence Service (Visit www.nis.go.kr or call +82 111)

 German organization: 

 Bundesamt für Verfassungsschutz (Visit www.verfassungsschutz.de, or 

 call +49 (0) 30-18 / 792-3322)

12


-----

|Section|IoC|Note|
|---|---|---|
|C2|connection.lockscreen.kro[.]kr/index.php|C2 URL|
||updating.dothome.co[.]kr/microsoft/app/google|C2 URL|
|MD5|3c2aa3687ac9f466ce909e2cb12b07a5|Remote control (EncryptModule_ Patch.exe)|
||4631ef8db9c36b0f2534ac7193f2587e|Malicious script (JSE)|
||607a2a8d2863c3144b8e901a16a76c33|Webshell (_banner.jsp)|

|Section|IoC|Note|
|---|---|---|
|Domain|chrysalisc[.]com|Domain|
||sifucanva[.]com|Domain|
||thefrostery.co[.]uk|Domain|
||rginfotechnology[.]com|Domain|
||job4writers[.]com|Domain|
||contact.rgssm[.]in|Domain|
|SHA-1|7da62cdb447a7ae3ae7b5f67a511e7cf2b26c7df|Boeing_Asia_ERP_IT_SA.zip|
||2e0d374f1e706ae1fa24558b54c5a1630302eab1|Boeing_Asia-ERP_IT_SA.iso|
||294706ae0585abaf4e6c5e66a7f5141ac4281d57|Amazon VNC.exe|
||127ced578e041f53b5988a7fefaa6e09e64f4bf9|AmazonVNC Viewer.exe|
||3bc8acdd07c6d91652101d9c8b3326bee372a007||


## Indicators of Compromise (IoCs)

### IoCs of the cyber campaign targeting a website maintenance & repair

 company of the defense sector

##### Section IoC Note

 connection.lockscreen.kro[.]kr/index.php C2 URL
 C2
 updating.dothome.co[.]kr/microsoft/app/google C2 URL

 Remote control
 3c2aa3687ac9f466ce909e2cb12b07a5 (EncryptModule_
 Patch.exe)
 MD5 Malicious script
 4631ef8db9c36b0f2534ac7193f2587e
 (JSE)
 Webshell 607a2a8d2863c3144b8e901a16a76c33 (_banner.jsp)

### IoCs of the social engineering campaign against the defense sector

##### Section IoC Note

 chrysalisc[.]com Domain

 sifucanva[.]com Domain

 thefrostery.co[.]uk Domain
 Domain
 rginfotechnology[.]com Domain

 job4writers[.]com Domain

 contact.rgssm[.]in Domain

 7da62cdb447a7ae3ae7b5f67a511e7cf2b26c7df Boeing_Asia_ERP_IT_SA.zip

 2e0d374f1e706ae1fa24558b54c5a1630302eab1 Boeing_Asia-ERP_IT_SA.iso

 SHA-1
 294706ae0585abaf4e6c5e66a7f5141ac4281d57 Amazon VNC.exe

 127ced578e041f53b5988a7fefaa6e09e64f4bf9
 AmazonVNC Viewer.exe 3bc8acdd07c6d91652101d9c8b3326bee372a007

13


-----

|Col1|7906270679014234b70aa63dd89e8282a945919c|Col3|
|---|---|---|
||7b4d0d8e3bfcd634bc7d7a17fb546b7e8316a681|Amazon VNC.zip|
||d5c8edb84e4ff33aea8865676ffe801ff0a71701|AMAZON_BSA_SKILL_ASSESS MENT_V2.ZIP|
||ac9021eb798de8323702a5aeb7c590f1ebaa3786||
||d5c8edb84e4ff33aea8865676ffe801ff0a71701|Amazon_BSA_SA_v2.iso|
|SHA-256|F3482A38BEFDCD7D0B87D86F24CDB209028BD847 1BAA6610548FB721086F5B85|Accenture_IT_SA.zip|
||47999FA014B6CC5A2A71BE590C93830371E259242 DFDBA7FFA2698F1900919EC|Accenture_IT_SA.iso|


##### 7906270679014234b70aa63dd89e8282a945919c

 7b4d0d8e3bfcd634bc7d7a17fb546b7e8316a681 Amazon VNC.zip

 d5c8edb84e4ff33aea8865676ffe801ff0a71701 AMAZON_BSA_SKILL_ASSESS
 MENT_V2.ZIP ac9021eb798de8323702a5aeb7c590f1ebaa3786

 d5c8edb84e4ff33aea8865676ffe801ff0a71701 Amazon_BSA_SA_v2.iso

 F3482A38BEFDCD7D0B87D86F24CDB209028BD847
 Accenture_IT_SA.zip 1BAA6610548FB721086F5B85
 SHA-256
 47999FA014B6CC5A2A71BE590C93830371E259242
 Accenture_IT_SA.iso DFDBA7FFA2698F1900919EC

### Yara[2] rule for detecting Operation Dream Job Files

#### The following YARA rule resulted from the examination of an Amazon VNC Viewer

 file’s behavior and will detect at least the three different Amazon VNC Viewer samples

 with the above provided hash values. The rule demonstrates how the provided IoCs

 could be used to detect cyber threats, if they are properly implemented.

2 YARA is a framework to help identifying and classifying malware samples based on patterns.

14


-----

#### (The square brackets of the URL have to be removed in order for the rule to work.

 Those have been added to prevent anyone from accidentally clicking on a malicious

 link.)

##### rule operation_DREAMJOB_AMAZON_VNC { meta:
 target_entity = “file” condition:
 for any vt_behaviour_command_executions in vt.behaviour.command_executions: 
 ( vt_behaviour_command_executions ==  “C:\\Windows\\System32\\wuapihost.exe -Embedding”  or vt_behaviour_command_executions == “\”%SAMPLEPATH%\\AmazonVNC 
 Viewer.exe\” “)  and for any vt_behaviour_http_conversations in vt.behaviour.http_conversations: (
 vt_behaviour_http_conversations.url == https://sifucanva[.]com/wp- includes/fonts/public/common.php) }

15


-----