Spear Phishing's New Frontier: The Lazarus APT Group's Pioneering Attack on an Aerospace Organisation

Written by: Ryan Lee

In the vast realm of cyber threats, spear phishing is notorious. Historically, attackers utilised emails to lure their victims. However, as technology and user habits evolve, so do the methods of cyber attackers. The recent spear phishing attempt by the North Korean Lazarus Advanced Persistent Threat (APT) group on a Spanish aerospace organisation offers a testament to this evolution¹.

The malware was discovered by ESET’s researchers, who have dubbed this new threat “LightlessCan”. They suspect its origin lies in the Lazarus Group’s prime BlindingCan Remote Access Trojan (RAT) source code.

Lazarus is a name that has become all too familiar for global corporations and their security divisions. Since its headline-making assault on Sony Pictures in 2014, Lazarus has cemented its reputation as one of the most formidable APT factions in operation today. Over time, the group has illicitly accumulated tens of millions of dollars from attacks on banks and financial entities, leaked vast amounts of classified data from sectors like defence, government, health, and energy, and has been behind numerous cryptocurrency thefts and supply chain disruptions.

Emails: No Longer the Sole Battlefield in Spear Phishing

To comprehend this shift in spear phishing tactics, it’s crucial to grasp its essence. Unlike generic phishing attempts that cast a wide net, spear phishing is a precision strike. It’s an attack meticulously tailored to target specific individuals or entities. The malicious actor often impersonates a trusted figure or organisation, leveraging this trust to deceive victims into revealing confidential data, clicking on treacherous links, or downloading malware.

The inherent vulnerability of emails was a boon for spear phishers for a long time. But as individuals and businesses fortified their email security and developed a healthy scepticism towards unsolicited emails, cyber attackers realised they needed a new avenue. This is where social media and e-commerce platforms come into play.

Why this shift? For one, these platforms have become integral to our daily lives. We chat, shop, and conduct business all within these ecosystems. Secondly, they often lack the stringent security measures that now guard our email inboxes.

ESET’s investigation into the breach at the Spanish aerospace firm revealed that Lazarus members secured their initial entry through a well-executed spear-phishing campaign aimed at particular company employees. The malicious actor posed as a hiring agent for Meta, Facebook’s parent company, contacting the aerospace company’s developers through LinkedIn Messaging.

An unsuspecting employee, duped by the initial communication, was presented with two coding tasks, ostensibly to gauge their competence in the C++ programming language. However, these coding tests, housed on an external cloud storage service, had hidden malicious software. When the employee attempted to tackle the tasks, this software covertly downloaded more malicious payloads onto their computer.

The Lazarus APT Group’s Ingenious Attack: A Case Study

The Spanish aerospace organisation was an emblematic victim of this new spear phishing approach. The modus operandi of the Lazarus APT group was a blend of in-depth research and cunning exploitation:

Social Engineering Mastery

By deeply researching the organisation, its employees, and partners, the group impersonated familiar entities. Using information from public profiles, they painted a convincing facade, making their faux profiles almost indistinguishable from genuine ones.

Tapping into Social Media Platforms

Trust is the currency of these platforms. Most users are more amenable to clicking on links sent via personal messages, thinking them safe. The Lazarus group capitalised on this, choosing these platforms over traditional emails to send malicious payloads.

The Delivery

With trust secured, they deployed their masterstroke – a link. Seemingly harmless, this link was a gateway to credential harvesting sites or platforms that stealthily download malware onto the user’s device.

Aerospace Companies in the Crosshair

Aerospace entities are increasingly targeted by APT groups affiliated with North Korea. The nation has engaged in several nuclear trials and fired off intercontinental ballistic missiles, actions that contravene United Nations (UN) Security Council directives. The UN closely observes North Korea’s nuclear undertakings to curb the progression and widespread dissemination of nuclear arms or other lethal weapons. Semi-annual reports issued by the UN highlight these activities, pointing out that APT groups with ties to North Korea target aerospace sectors to acquire confidential technological information and insights related to aerospace. Such knowledge is crucial given that intercontinental ballistic missiles traverse space outside Earth’s atmosphere during their midcourse stage. These reports also suggest that the financial proceeds from such cyber intrusions partially fund North Korea’s missile advancement efforts².

The fact that Lazarus targeted a Spanish aerospace firm is not unexpected, given the rapid advancements in Spain’s space sector over the past decade. Just this year, in September, Spain inaugurated its space agency, the Agencia Espacial Española. This move signals Spain’s aspiration to become a pivotal player in European space endeavours. Beyond aerospace titans like Indra and Airbus, Spain boasts a roster of renowned small to medium-sized space enterprises, including PLD Space, Elencor, GMV, GTD, and Rymsa Espacio. Marking a significant milestone, PLD Space made headlines on 7th October 2023 by successfully launching Europe’s inaugural privately owned, reusable rocket³.

Implications for Singapore’s Aerospace and Aviation Industry

Aerospace entities and supply chains must enhance their cybersecurity strategies to thwart threats from APTs eager to access advanced space and defence technologies from the West. This cyber onslaught in Spain isn’t an isolated incident. In September 2023, Airbus disclosed its probe into a cyber breach after claims surfaced of a hacker leaking details of 3,200 of its vendors—including Rockwell Collins and Thales—on the dark web⁴. The leaked data encompasses names, positions, addresses, emails, and contact numbers. Such information could potentially be weaponised for targeted spear-phishing endeavours.

The aerospace sector in Singapore plays a pivotal role in its economic framework, accounting for S$13.3 billion and adding a value of S$3.9 billion in 2022⁵. Renowned as a premier MRO hub in the Asia-Pacific, domestic giants like ST Engineering Aerospace and SIA Engineering rank among the global top 10 in the commercial aviation MRO space. International aerospace and aviation powerhouses, including Rolls Royce, Safran, Liebherr, Thales, Airbus, Bombardier, and others, have substantial operations or regional bases in Singapore.

In support of these multinational enterprises, a diverse set of local SMEs offers everything from design and certification to minute components like cables and rivets. Singapore’s intricate aerospace supply chain, which upholds stringent quality and safety standards, operates seamlessly to cater to the round-the-clock demands of the sector.

Whether large or petite, each entity within this ecosystem could be a potential target for cyber attackers aiming to infiltrate the supply chain with malicious intent.

Fortifying Defences Against the New Wave of Spear Phishing

Recognising the shift in spear phishing tactics is half the battle. Here’s a proactive approach to defend against these attacks:

Endpoint Protection

With endpoints (PCs, laptops, mobile devices) being the primary attack vectors, organisations must consider upgrading protection from traditional anti-virus to proactive Endpoint Detection & Response (EDR) tools or Managed Detection & Response (MDR) services to counter zero-day and fileless attacks.

Regular Training and Awareness

Regularly update your staff with the evolving spear phishing techniques. They should understand the gravity of clicking unsolicited links, regardless of the platform of origin.

Robust Authentication

Implementing two-factor authentication (2FA) adds an extra layer of security. Even if attackers obtain credentials, they’ll be stonewalled by this additional verification layer.

Consistent Monitoring

A hawk-eye on network activity is essential. Monitoring ensures you can quickly identify and counteract any irregularities, thereby reducing potential damage.

Software Hygiene

Keeping systems and software updated ensures that any known vulnerabilities are patched, shrinking potential entry points for attackers.

Conclusion

The Lazarus APT group’s audacious spear phishing campaign against the Spanish aerospace organisation underscores an undeniable truth: Cyber threats are not static. They are in flux, perpetually adapting to the changing digital landscape. As spear phishing expands its reach beyond emails, our understanding and defences must evolve in tandem. The aerospace industry is a very lucrative target. The onus is on individuals and organisations in this industry to stay informed, be sceptical, and prioritise cyber hygiene and endpoint protection across all digital touchpoints.

Sources:

Heron Technology