North Korean-linked hacker group Lazarus is now targeting US defence contractors. The hacker group has previously been linked to massive global attacks, including the WannaCry ransomware epidemic, as well as attacks against international banks.
Security experts at Palo Alto say that the hacker group has launched a new phishing campaign targeting "individuals involved with United States defence contractors." The hackers were found sending phishing emails, containing malicious Microsoft Word documents, presumably in efforts to collect information.
The report of Lazarus' activities comes amid heightened tensions between North Korea and the US and just days after US president Donald Trump threatened "fire and fury" over Pyongyang's recent nuclear weapons advance.
Palo Alto researchers have said that the Lazarus group's hackers have done little to hide their identity and are currently "reusing tools, techniques, and procedures which overlap throughout these operations with little variance." The payload used by the hackers to target US defence contractors is nearly identical to that used by the group in April when they targeted South Korean organisations.
"Based on the contents of these latest decoy documents which are displayed to a victim after opening the weaponized document the attackers have switched targets from Korean language speakers to English language speakers. Most notably, decoy document themes now include job role descriptions and internal policies from US defense contractors," Palo Alto senior threat researcher Anthony Kasza wrote in a blog.
Despite having been linked to numerous global campaigns, including the now infamous Sony hack and the Bangladesh Bank cyberheist, some experts have previously have suggested that North Korean hackers' recent activities switched focus from cyberespionage to stealing money for the impoverished hermit kingdom. Some of Lazarus' recent activities involved targeting financial institutions in South Korea as well as other countries. However, the new findings indicate that North Korean leader Kim Jong-un may have ordered his nation's hacker army to refocus on information gathering.
Palo Alto researchers said that Lazarus' campaign has continued ceaselessly since they first reported about it in April. "Given that the threat actors have continued operations despite their discovery and public exposure it is likely they will continue to operate and launch targeted campaigns," Kasza said.