North Korean Hackers Target German Missile Maker with Fake Job Offers

The Hack: German Defense company Diehl Defence sells South Korea missiles. North Korea doesn’t love that. North Korea ran a hyper-targeted phishing campaign at Diehl Defense employees disguised as lucrative American job offers. Malicious PDFs attached to the job offers would infect the user’s devices with malware.

• North Korean hacker group "Kimsuky" (also known as APT43) used fake job offers from US arms providers to target Diehl Defence employees (Source: Mandiant)

• Diehl Defence manufactures Iris-T missiles used by the South Korean military in their KF-21 fighter jets (Source: Article)

• The Federal Office for Information Security (BSI) confirms observing a "German campaign" by Kimsuky affecting multiple organizations (Source: BSI spokesperson)

• The defense company is not the only goal: "The BSI knows other organizations in Germany that are affected by the current campaign."

The big picture: North Korean state-sponsored cyber attacks are becoming increasingly sophisticated and targeted.

Zoom In: The hackers meticulously researched German conditions and created authentic-looking login pages. Evidence of how targeted this campaign was.

Zoom Out: Kimsuky has been active for over a decade, engaging in spear-phishing, cyber espionage, and financially driven cybercrime to support North Korea’s strategic goals. In this specific attack, Diehl Defence employees were targeted with fake job offers, a tactic frequently employed by Kimsuky. The malicious PDFs used in these phishing emails would infect devices with malware, allowing North Korean hackers to gather intelligence and potentially disrupt operations.

Kimsuky's tactics extend beyond this campaign, as seen in their previous spear-phishing efforts. For example, they have impersonated journalists to access sensitive information from think tanks, research institutions, and government organizations. These phishing emails are often designed to appear legitimate and include customized content based on the victim’s role and sector. Kimsuky’s ability to target specific individuals and organizations, even using multi-stage validation processes to avoid detection, showcases the group's precision and thorough planning.

Historically, Kimsuky has utilized various tools, such as the ReconShark malware, to collect information about infected systems and gather intelligence, as observed in other attacks on South Korean entities and defense contractors.

This attack is not an isolated incident but part of a broader pattern of cyber espionage targeting industries that align with North Korea’s intelligence-gathering and financial needs.

The broader implication is that state-sponsored actors like Kimsuky employ sophisticated phishing tactics, exploit software vulnerabilities, and often develop custom malware tailored to specific targets. They are well-funded and patient. Being a country that is sanctioned by most of the Western world, they use these tactics to fund their military by stealing crypto via hacks like this one as well. The North Korean Lazarus group alone has pulled off over $2 billion in crypto heists in recent years.