In a highly targeted social engineering attack against aerospace and military companies, hackers possibly linked to North Korea tried to steal money and information after contacting their victims on Linkedin, researchers at cybersecurity firm ESET said in a report this week.

The campaign targeted companies in Europe and the Middle East, with at least two European companies compromised in the attack.

The hackers impersonated HR managers at well-known companies like Collins Aerospace and General Dynamics to approach their targets with fictitious job offers, sending them malicious RAR file archives via Linkedin messaging or email that contained job details as a decoy.

When targets responded with questions, the attackers engaged in active conversation to build trust and encourage victims to open the archive. Once opened, an LNK file included in the archive executed malicious code that aimed to exfiltrate files from the victims’ computers and enable further intrusions.

The hackers also reportedly tried to compromise additional accounts across the companies’ networks.

“The primary goal of the operation was espionage,” ESET wrote in the report on the attacks, which took place between September and December 2019.

However, in one of the cases the company investigated after being alerted by a victim, the attackers eventually attempted to use the email account of a compromised company to trick one of its vendors into transferring money to a bank account controlled by the hackers.

“The attackers found communication between the victim and a customer regarding an unresolved invoice,” the researchers explained. “They followed up the conversation and urged the customer to pay the invoice, however, to a different bank account than previously agreed.” 

The hackers also set up an email account using a domain name similar to that of the company that had been hacked, and using it to urge vendors of the targeted company to make payments to the other bank account — a trick that was discovered by the vendor and reported to the company that had been hacked, ESET researchers explained. 

While the investigation did not reveal strong evidence, the security firm found similarities in targeting, development environment, and anti-analysis techniques that suggest a link to the Lazarus Group, one of the most prolific and skilled cybercrime collectives suspected to be linked to the DPRK.

“The attackers deployed their custom, multistage malware, along with modified open-source tools,” the experts explained in a blog post accompanying the report.

One piece of code used in the attack, ESET alleged, was a variant of a malware family “attributed by ESET with high confidence to the Lazarus group.”

Linkedin told NK News that the company’s threat intelligence team had noticed the creation of the fake accounts involved in the attack.

“We took immediate action at that time and permanently restricted the accounts,” said Paul Rockwell, the company’s Head of Trust and Safety.

To prevent attacks via Linkedin messaging, he said members should only connect with people they know and trust, as well as report suspicious profiles or messages to the company. 

Malicious LNK files have been used in previous cyberattacks originating from the Korean peninsula, most recently in a campaign attributed by security firm Malwarebytes Labs to Higaisa, a group suspected by some researchers to be linked to the South Korean government.

That attack also used RAR archives containing decoy job applications and exam results alongside malicious LNK files that executed code providing hackers with access to the victim’s device. 

Edited by Oliver Hotham