The cyber attackers being deployed by North Korea targeting its adversaries, especially the United States, are increasingly turning masters at impersonation.
This was among the fascinating insights offered by Ryan Sherstobitoff, senior analyst with the advanced threat research wing of software security giant McAfee, in a session at the 13th edition of the two-day cOcOn, the international hacking and cybersecurity conference organised by the Kerala Police, which got under way virtually on Friday.
He was talking about Hidden Cobra, the name given to North Korea’s cyber offensive programme by the US, which has spotted four major groups identified as Lazarus, Bluenoroff, Andariel, and APT37 as active under the programme.
Mr. Sherstobitoff said actors associated with Hidden Cobra had been impersonating defence sector employees since 2016 through fake profiles in LinkedIn, a US-based business and job-oriented online service. In fact, the US government tracked the number of impersonation campaigns targeting defence contractors as covered in a Federal Bureau of Investigation indictment.
Noticeably, the command of English and other foreign languages of Hidden Cobra attackers has improved significantly. “They appear to know their targets, often impersonating legitimate people to appear authentic,” said Mr. Sherstobitoff.
He went on to share information about the various operations of Hidden Cobra over the past few years. There is the Operation ‘Bankshot’ that targeted the Turkish banking sector after the US government referred to the implant used for the attack as such.
Mr. Sherstobitoff said a four-month-long fake job recruitment operation was run under Hidden Cobra between April and July 2017 in which major US defence contractors were targeted. It particularly targeted defence programs relating to Terminal High Altitude Area Defence (THAAD), Advanced Extremely High Frequency (AEHF), Relocatable Over the Horizon Radar, Unmanned Aerial Vehicle (UAV), and Sikorsky Helicopter program.
“This operation was part of an elaborate impersonation campaign to ‘trick’ individuals into opening malicious document files disguised as job descriptions for roles involved with the targeted programs. Once opened, the documents load an implant that would take over the victim’s system,” said Mr. Sherstobitoff.
Based on the decoy document, it was an attempt at usurping cutting-edge US technology pertaining to Black Hawk helicopters. The US has close to 30,000 military personnel deployed in the Korean peninsula, and the South Korean Air Force operates US-made Black Hawk helicopters, F-16s, and other advanced fighter jets.