Intelligence advisory: North Korea-backed cyber actors targeting defence sector supply chain
A joint cyber advisory issued by Germany and South Korea warned that North Korea-backed cyber actors targeting global defence sector supply chains to modernise the country’s military capabilities.
The German Federal Intelligence Agency (BfV) and South Korea’s National Intelligence Service (NIS) have issued a joint cybersecurity advisory warning against alleged cyberespionage operations against the global defence sector and its supply chain by actors promoted by the North Korean government.
The joint advisory highlights that North Korea supports these cyberattacks to steal advanced military technology information to modernise its military capabilities.
The advisory also cites two examples attributed to the North Korea-backed cyber actors. One of the incidents referred to is a 2022 incident where a North Korean cyber actor intruded into the systems of a research centre for maritime and shipping technologies and executed a supply-chain attack, compromising the firm and the target organisation’s web server maintenance operations.
The second case focuses on LAZARUS’s social engineering attacks on defence companies, known as ‘Operation Dream Job.’ This approach, ongoing since mid-2020, involves creating fake profiles on job portals, targeting individuals in defence companies with malicious files disguised as job offers. LAZARUS employs tactics like establishing trust through prolonged communication in English, offering enticing job positions, and using various methods to deliver malware, such as PDF attachments and links to cloud-based files. The group’s social engineering strategy has remained consistent, highlighting the effectiveness of exploiting human psychology.
Key findings from both cases underscore the cyber actors’ persistence, adaptability, and exploitation of trustful relationships. The document emphasises the need for organisations to be aware of evolving cyber threats and implement robust security measures. Mitigation strategies include regular employee briefings on cyber threats, limiting access during remote maintenance, monitoring system access records, implementing proper patch management procedures, and adopting multi-factor authentication (MFA).
The advisory provides specific recommendations for mitigating supply-chain attacks, including limiting access, maintaining audit logs, implementing secure website creation practices, and using multi-factor authentication for VPNs. Social engineering attack prevention guidelines include educating personnel on common tactics, limiting privileges, establishing a strict update and patch routine, and fostering a culture where employees report security incidents without fear of consequences.