This is a group that has been carrying out cyber-attack missions on behalf of the North Korean government for years • It is estimated that this is a cyber force with at least 7,000 fighters • "They approached workers in the space industry, sending tempting job offers that led some of their targets to negotiate"

• Photo: Getty Images

Today (Wednesday) the Israeli Ministry of Defense allowed the publication that it has thwarted a major cyber attack against leading defense industries in the country by an international cyber array called "Lazarus", a squad associated with the North Korean government and carrying out cyber-attack missions for years.

"Lazarus' method of operation was first discovered about two months ago in an ESET study," explains Amir Carmi, head of defense at hackerU solutions, in a conversation with Israel Today. "During the attack, Lazarus activists impersonated human resources representatives of well-known aerospace companies and used sophisticated damage, with the interesting part being the use of social engineering via LinkedIn and the posting of job offers, in order to convey damage in a suspicious manner."

"This time, too, they targeted very specific targets - people with key positions in Israel's defense industries through job offers sent from those companies. In the same study two months ago, they approached space industry workers. They sent tempting job offers that led some of their targets to negotiate "The communication with them, they started sending them files and offered to transfer the communication to Skype chat," adds Carmi.

According to Carmi, the group acted in various ways to evade defensive measures. "Some of the files were transferred directly through LinkedIn chat, some via email and some through OneDrive. The files were password-protected RAR archive files, which prevents the protection that scans emails and installed on the computer from opening the file and locating the damage during file transfer. "Although the officials who were attacked are people with a great awareness of information security and social engineering, there is a problem of awareness about information security and the dangers that can come from LinkedIn."

"The case reinforces the need for security bodies and the defense industry to conduct information security awareness workshops that are up to date with the latest attack. Awareness of this attack, which was discovered two months ago, could have prevented such attacks and prevented defense industry defense systems from entering action." Carmi concludes.

Ido Naor, CEO of the cyber company Security Joes, says in an interview with Israel Today that "the group has many attack capabilities that branch out into spyware, collaboration with ransomware, theft from financial systems and virtual currencies, and the attack tools are complicated and sophisticated for investigation and surveillance."

According to Naor, this is not the first time that the attacking group has been caught while impersonating fake profiles on LinkedIn. "Last month, ESET suspected the same group when it tried to lure employees from defense ministries in Europe. In 2018, the group tried to infiltrate a bank in Chile using the same method as well. We have been faithfully monitoring Lazarus for a decade and trying to prevent intrusions into Israel."

Lazarus also focused on hacking into financial institutions, such as the bank break-in in Bangladesh, in which the group tried to steal close to a billion dollars. "Bitcoin. One of the biggest attacks attributed to the group was the break-in of Bines and the theft of more than $ 40 million," Naor concludes.

The unit's most recognizable operation, and the one that brought it to mind, occurred in 2014 when North Korean crackers infiltrated Sony's internal network due to the presentation of North Korean ruler Kim Jong Un in the film's interview 'produced by the company.

North Korea's offensive cyber signature is even more impressive given the fact that the country is not officially connected to the Internet at all. Pyongyang is content with an internal network used by the regime and the various educational institutions in the country, a system to which only a few in the country have access.

However, according to an article published in June in the Business Insider newspaper, North Korea has a cyber force of at least 7,000 fighters, all of whom serve in the North Korean military and receive free and rare access to the Internet. But not the territory of North Korea itself. 

According to foreign publications, the North Korean cyber network operates from countries such as China, Russia and even India, where Pyongyang's young crackers receive their training, at leading universities. The activity from abroad also allows for the masking of North Korea's operations in the network and many times Russia or China are accused of hacking activity carried out by the North Korean unit.

Neta Bar participated in the preparation of the article