TLDR:
- A North Korean cyberespionage group is posing as job recruiters to target employees in aerospace and energy sectors.
- Mandiant reports that the group uses fake job descriptions stored in malicious archives and backdoor malware to target victims.
Fake Job Lures Target Employees of Aerospace, Energy Firms
A recent report by Mandiant has revealed that a North Korean cyberespionage group has been targeting employees in aerospace and energy sectors with fake job offers. The group, tracked as UNC2970, poses as job recruiters and uses email and WhatsApp messages to engage with potential victims. The attackers send tailored job descriptions in PDF format, stored inside malicious archives, to trick individuals into clicking a link that deploys backdoor malware onto their devices. These attacks are part of the group’s strategic intelligence collection activities linked to the regime of Kim Jong Un.
In previous campaigns, the group used SumatraPDF, a free document viewer, to deliver backdoor malware called MISTPEN. Modified versions of SumatraPDF were used to execute malicious code, highlighting the group’s familiarity with the tool and its methods. While Mandiant did not directly associate UNC2970 with Andariel, another North Korean threat group, it is noted that different groups may share cyberattack tools and tactics. The group’s recent targeting of aerospace, defense, and energy sectors reveals an escalating cyber threat from North Korea in recent years.
The joint advisory from South Korea’s National Intelligence Service, U.K.’s National Cyber Security Center, U.S. Cybersecurity and Infrastructure Security Agency, and the FBI warned of North Korean espionage activities targeting Western organizations in the defense, aerospace, and energy sectors. Added emphasis was placed on the group’s funding of operations through ransomware attacks on U.S. healthcare institutions, underscoring the scale of their cyber activities.