New Insights on Highly-targeted Operation North Star Campaign

McAfee Advanced Threat Research team has recently released a new report on previously undiscovered backend infrastructure run by the adversaries behind the Operation North Star campaign. This highly-targeted campaign is suspected to be linked to the North-Korean APT group Hidden Cobra.

Additional yet unique insights

According to the recent report, attackers have been launching targeted attacks against the aerospace and defense sectors, attempting to install data gathering implants on victims' machines for purposes of surveillance and data exfiltration.
  • The campaign is conducted with secondary payloads known as Torisma and Doris, designed to remain hidden on compromised systems and stealthily monitor its victims for continued exploitation.
  • In addition, the threat group compromised and used genuine domains to conduct C2 operations, all the while minimizing the risk of detection and discovery.
  • The group has used political and job recruiting lures to launch attacks on IP-addresses belonging to ISPs in Australia, Israel, and Russia, and defense contractors based in India and Russia.

Earlier detection

  • According to a July report, the researchers have attributed the cyber espionage campaign to a North Korean hacking group known as Hidden Cobra aka Lazarus APT group. 
  • The group had been using legitimate job recruitment content from popular U.S. defense contractor websites to trick unwitting victims into opening documents laden with malware.

Recent attacks by Hidden Cobra

  • In September, Hidden Cobra hackers were seen using a Python tool SMBMAP to infect and leverage a Japanese organization’s account information.
  • In August, the threat actors had used a malware called FASTCASH for Windows to target banking payment systems using DLL injection and man-in-the-middle techniques.

Endnotes

Analysis of Operation North Star provides an insight into how a threat actor creates a particular verified list of targets, which they leverage to deploy a second implant for further and in-depth monitoring. Even after successfully infiltrating the victims, the second implantation can enable hackers to monitor them further.