Warning of North Korean Cyber Threats Targeting the Defense Sector


The Bundesamt für Verfassungsschutz (BfV) of Germany and the National Intelligence Service (NIS) of the Republic of Korea (ROK) have issued a joint Cyber Security Advisory (CSA) to alert about cyber campaigns likely conducted by North Korean actors targeting the defense sector. North Korea's focus on military strength drives them to steal advanced defense technologies globally, using cyber espionage as a cost-effective method. The advisory outlines DPRK's tactics, techniques, and procedures (TTPs) and provides Indicators of Compromise (IoCs), highlighting two intrusion cases into defense facilities. The cyber actors, attributed to LAZARUS and another North Korean group, employ various methods including spear phishing and supply-chain attacks.

LAZARUS, a sophisticated group known for high-profile incidents, poses a significant threat, aiming to obtain sensitive data to bolster North Korea's military capabilities. The advisory aims to raise awareness among defense and other industries, providing technical details and mitigation strategies against such cyber threats, emphasizing education, access control, and network security measures.

Security Officer Comments:
Key Tactics, Techniques, and Procedures (TTPs) observed include:

  • Spear Phishing: LAZARUS targets individuals in the defense sector with tailored phishing emails, aiming to deceive them into revealing sensitive information or downloading malware.
  • Supply-Chain Attacks: Cyber actors infiltrate third-party vendors or service providers of defense organizations, exploiting their trusted relationships to gain access to target networks.
  • Social Engineering: LAZARUS utilizes sophisticated social engineering tactics, such as creating fake job profiles on online portals, to establish trust with targeted employees. Malicious files disguised as job offers are then sent to compromise target systems.
  • Remote Access and Lateral Movement: Once initial access is gained, cyber actors use legitimate tools and techniques to move laterally within target networks, escalating privileges and stealing valuable data.

Suggested Correctionss against indirect attacks through a vendor:

  1. Limit access only to necessary systems when receiving remote maintenance and repair services, and authentication shall be performed before user permissions and privileges are granted.
  2. Store and maintain audit logs including system access records, and monitor them on a regular basis to detect anomalous access.
  3. Adopt a proper Patch Management System (PMS) procedure to verify user authentication, and implement an adequate verification and confirmation process for the final stage of distribution, as it can be easily targeted by malicious cyber actors for supply chain attacks.
  4. Always implement SSL/TLS when creating a website to prevent breaches of critical data including account information, even in a situation where logs are captured by a cyber actor.
  5. If employees are using a VPN to work from home, implement multi-factor authentication along with user ID and password authentication, and protect critical information including one-time password (OTP) authentication keys from disclosure to a third party.

Social Engineering Attacks: Prevention and Best Practices:

  1. Educate personnel about common social engineering tactics and encourage vigilance against suspicious password-locked documents or links.
  2. Establish an error culture where employees are encouraged to report security incidents without fearing consequences for being a victim of social engineering attacks.
  3. Limit privileges and access to sensitive data only to authorized users.
  4. Implement a strict update and patch routine to remove vulnerabilities in network systems.
  5. Apply these prevention guidelines to all domestic and overseas branches of the organization, including those that may be seen as distant from the mainstream.