ESET researchers have recently discovered an attack by the Lazarus group on an aerospace company in Spain. The group used various tools, including a previously undocumented backdoor called LightlessCan, to gain access to the company’s network. This attack began with a spearphishing campaign, where the Lazarus group posed as a recruiter from Meta, the company behind social media platforms Facebook, Instagram, and WhatsApp.
The attackers contacted employees of the aerospace company through LinkedIn Messaging and sent them two coding challenges that were disguised as part of a hiring process. The victims unknowingly downloaded and executed the challenges on their company devices. The first challenge was a simple project that displayed the text “Hello, World!” while the second challenge involved printing a Fibonacci sequence, a series of numbers where each number is the sum of the two preceding ones.
ESET researchers were able to reconstruct the initial access steps and analyze the tools used by the Lazarus group with the cooperation of the affected aerospace company. The researchers will be presenting their findings about this attack at the Virus Bulletin conference on October 4, 2023.
One of the key aspects of this attack is the use of the LightlessCan backdoor by the Lazarus group. This backdoor is a significant advancement compared to its predecessor, BlindingCan, as it implements techniques to evade detection by real-time security monitoring software and analysis by cybersecurity professionals. LightlessCan mimics the functionalities of native Windows commands, allowing the attackers to execute commands within the backdoor itself, making it harder to detect and analyze their activities.
The Lazarus group, also known as HIDDEN COBRA, is a cyberespionage group linked to North Korea that has been active since at least 2009. They are known for carrying out high-profile attacks, including the hack of Sony Pictures Entertainment and cyberheists worth millions of dollars. The group has a history of targeting aerospace companies, particularly those involved in missile development.
North Korea-aligned APT groups target aerospace companies to gain access to sensitive technology and aerospace know-how. This is of concern because intercontinental ballistic missiles spend their midcourse phase outside of Earth’s atmosphere, and North Korea’s missile development activities are monitored by the United Nations to prevent further proliferation of nuclear weapons. Cyberattacks are believed to contribute to North Korea’s missile development costs.
The attack on the aerospace company in Spain is attributed to the Lazarus group, specifically to an operation called Operation DreamJob. This operation involves targeting defense and aerospace companies for cyberespionage purposes. The attackers gained initial access through LinkedIn and used malware disguised as coding challenges to compromise the victims’ systems. The malware used in this attack shares similarities with previous Lazarus campaigns, including the use of strong encryption and the compromise of existing servers.
Overall, this attack highlights the ongoing threat posed by Lazarus and their sophisticated techniques. Aerospace companies, in particular, need to be vigilant and take steps to protect their networks and sensitive information from cyber threats.