Skip to content ↓ | Skip to navigation ↓

Security researchers at AT&T Alien Labs report that a notorious hacking group has been targeting engineers working in the defence industry.

In recent months there have been a series of reports of malicious emails that use the disguise of a job offer to target defence contractors in the United States and Europe.

Attached to the emails are Word documents containing macros that plant malicious code onto a victim’s computer, and make changes to the targeted computer’s settings in an attempt to avoid detection.

According to security researchers, the attacks carry the hallmarks of being the work of the notorious Lazarus Group, a North Korean-linked hacking gang that has been blamed for the 2014 attack on Sony Pictures, and the theft of $81 million from the Bank of Bangladesh in 2016, amongst other attacks.

Since May, emails believed to have been sent by the Lazarus Group have targeted victims by posing as engineering opportunities from the likes of Airbus, General Motors, and military contractor Rheinmetall.

Microsoft Office correctly warns the recipient upon opening the poisoned document that it has disabled macro content, but because the email pretends to offer a career opportunity the attackers are banking on recipients overriding the security warning, and allowing the malicious code to execute.

Sometimes the poisoned documents even have the gall to claim that they are “protected” – as if in an attempt to reassure the recipient that the job offer communication is private – in an attempt to trick a user into feeling comfortable enabling the dangerous macro content.

Previous malware campaigns have attempted to trick victims with job opportunities at Boeing and BAE systems.

The security researchers report that the Lazarus Group have refined their attacks over time, making changes to their attacks in an attempt to avoid detection. Many of the attacks have seen the renaming of the Certutil and Explorer system tools to hide the attackers’ activities.

Of course, if the hackers succeed in planting their malware on an engineer’s computer they could easily spy upon any work being done on the PC, snoop upon communications, steal intellectual property as well as databases, and passwords, and look to launch further attacks against others.


Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.