ESET Discovers BEC Scams by North Korea’s State Hackers

ESET researchers have reported that North Korean state-sponsored hackers were trying to steal money from victims of their previous cyber attacks for cyber espionage .

The Slovakian antivirus maker reported this cyber-espionage attempt on Tuesday at the ESET Virtual World security conference . The research team revealed that the operation was perpetrated by the popular state-sponsored hacker group of the Pyongyang’s regime.

The hacking campaign is codenamed “Operation In(ter)ception”  and was established primarily for both financial theft and cyber-espionage.

ESET was revealing this recent development to thousands of audiences at the live streaming event. Jean-Ian Boutin, one of ESET security researchers, pointed out that the attack was orchestrated by members of the hacking group known as the Lazarus group , the widely known hacking syndicate sponsored by the Korean government to hack into foreign government agencies and large corporations. The group is also part of the intelligence unit of North Korea.

Boutin revealed that the Lazarus hackers were targeting European Aerospace and companies manufacturing military weapons. He described how the hackers approached their targets by using private messages and LinkedIn job recruiter profiles. They get the attention of the target by disguising as a company conducting a job interview. The targets were asked to open archives and view some files allegedly containing information about the company and their salary package once they are employed.

But in essence, according to Boutin, the files were infected with malware which gives the hackers initial access to the victim’s system for future attacks.

The ESET researcher also revealed that after the hackers have infected the victim’s computer, they would conclude the interviewing process and inform the victim the interview was not successful. Afterward, they completely delete their LinkedIn profile at once.

However, the hacker would continue its operations on the user’s system through the initial foothold they’ve got through the infected files. They spread throughout the victim’s computer in search of more information and data.

ESET researchers said they discovered the attackers were querying the Active Directory (AD) server to get administrator accounts and information about other employees. The goal was to subsequently carry out password brute-force attacks on the administrator account.

 According to ESET, the attack seems to have occurred between September and December last year, based on the “Operation In(ter)ception” they found.

Generally, the targets included employees working at the military companies and European Aerospace, as most of them were offered bogus jobs for higher-profile companies.

Boutin reiterated that even after gathering the required proprietary data and intelligence they want from the target company, they would still go ahead with more attacks and intrusions. Usually, other hackers would erase their footprints to avoid being traced , but they move on to attempt scamming the infected company’s business partners.

 Boutin further revealed that the hacking group would ransack the email inboxes of the hacked companies to gain access to their unpaid invoices. They then act upon the invoices, deceiving the customer to send payment to the invoice, although to a different account number they provide.

“They followed up the conversation and urged the customer to pay the invoice, however, to a different bank account than previously agreed,” ESET research team stated.