朝鲜黑客持续对全球国防公司发起网络攻击

North Korean state-sponsored threat actors have been attributed to a cyber espionage campaign targeting the defense sector across the world.

据德国宪法保护局（BfV）和韩国国家情报院（NIS）发布的联合咨询，朝鲜国家支持的威胁行动者已被归因于针对全球国防部门的网络间谍活动。

In a joint advisory published by Germany's Federal Office for the Protection of the Constitution (BfV) and South Korea's National Intelligence Service (NIS), the agencies said the goal of the attacks is to plunder advanced defense technologies in a "cost-effective" manner.

这些机构表示，袭击的目标是以"节约成本"的方式掠夺先进的国防技术。

"The regime is using the military technologies to modernize and improve the performance of conventional weapons and to develop new strategic weapon systems including ballistic missiles, reconnaissance satellites and submarines," they noted.

他们指出：“该政权正在利用军事技术来现代化和提高常规武器的性能，并开发包括弹道导弹、侦察卫星和潜艇在内的新战略武器系统。”

The infamous Lazarus Group has been blamed for one of the two hacking incidents, which involved the use of social engineering to infiltrate the defense sector as part of a long-standing operation called Dream Job. The campaign has been ongoing since August 2020 over several waves.

臭名昭著的拉萨鲁斯集团被指责参与了两起黑客事件中的一起，其中涉及使用社会工程学渗透国防部门，作为一个名为“梦想工作”的长期行动的一部分。该活动自2020年8月以来一直持续了几波。

In these attacks, the threat actors either create a fake profile or leverage legitimate-but-compromised profiles on platforms like LinkedIn to approach prospective targets and build trust with them, before offering lucrative job opportunities and shifting the conversation to a different messaging service like WhatsApp to initiate the recruitment process.

在这些攻击中，威胁行动者要么创建一个虚假档案，要么利用LinkedIn等平台上合法但受损的档案接近潜在目标，并与他们建立信任，然后提供有利可图的工作机会，并将对话转移到WhatsApp等不同的消息服务，以启动招聘过程。

Victims are then sent coding assignments and job offer documents laden with malware that, when launched, activate the infection procedure to compromise their computers.

然后，受害者会收到加载有恶意软件的编码任务和工作报价文件，一旦启动，就会激活感染过程以破坏其计算机。

"Universally, the circumstance that employees usually do not talk to their colleagues or employer about job offers plays into the hands of the attacker," the agencies said.

这些机构表示：“普遍情况是员工通常不会与同事或雇主讨论工作报价，这正好符合攻击者的意图。”

"The Lazarus Group changed its tools throughout the campaign and demonstrated more than once that it is capable of developing whatever is necessary to suit the situation."

拉萨鲁斯团伙在整个活动中更改了其工具，并多次证明其能够开发出任何必要的工具以适应情况。

The second case concerns an intrusion into a defense research center towards the end of 2022 by executing a software supply chain attack against an unnamed company responsible for maintaining one of the research center's web servers.

第二个案例涉及在2022年底对一个国防研究中心进行入侵，通过对维护研究中心一个网站服务器的未命名公司进行软件供应链攻击来实施。

"The cyber actor further infiltrated the research facility by deploying remote-control malware through a patch management system (PMS) of the research center, and stole various account information of business portals and email contents," the BfV and NIS said.

BfV和NIS表示：“网络行动者通过研究中心的补丁管理系统（PMS）部署远程控制恶意软件进一步渗透了研究设施，并窃取了业务门户和电子邮件内容的各种帐户信息。”

The breach, which was carried by another North Korea-based threat actor, unfolded over five stages -

• Hack into the web server maintenance company, steal SSH credentials, and gain remote access to the research center's server

  入侵网站服务器维护公司，窃取SSH凭据，并远程访问研究中心的服务器

• Download additional malicious tooling using curl commands, including a tunneling software and a Python-based downloader

  使用curl命令下载额外的恶意工具，包括一个隧道软件和基于Python的下载器

• Conduct lateral movement and plunder employee account credentials

  进行横向移动并窃取员工帐户凭据

• Leverage the stolen security manager's account information to unsuccessfully distribute a trojanized update that comes with capabilities to upload and download files, execute code, and to collect system information

  利用窃取的安全经理的帐户信息未能分发带有上传和下载文件、执行代码和收集系统信息功能的特洛伊木马更新

• Persist within target environment by weaponizing a file upload vulnerability in the website to deploy a web shell for remote access and send spear-phishing emails

  通过武器化网站中的文件上传漏洞在目标环境中持久驻留，部署Web shell以进行远程访问并发送针对性的网络钓鱼邮件

"The actor avoided carrying out a direct attack against its target, which maintained a high level of security, but rather made an initial attack against its vendor, the maintenance and repair company," the agencies explained. "This indicates that the actor took advantage of the trustful relationship between the two entities."

这些机构解释说：“这个行动者避免对其保持高级安全性的目标进行直接攻击，而是首先对其供应商，维护和修理公司进行了一次攻击。” "这表明该行动者利用了两个实体之间的信任关系。"

The security bulletin is the second to be published by BfV and NIS in as many years. In March 2023, the agencies warned of Kimsuky actors using rogue browser extensions to steal users' Gmail inboxes. Kimsuky was sanctioned by the U.S. government in November 2023.

这是BfV和NIS在过去两年内发布的第二份安全公告。2023年3月，这些机构警告称，金速基（Kimsuky）行动者使用恶意浏览器扩展窃取用户的Gmail收件箱。金速基在2023年11月被美国政府制裁。

The development comes as blockchain analytics firm Chainalysis revealed that the Lazarus Group has switched to using YoMix bitcoin mixer to launder stolen proceeds following the shutdown of Sinbad late last year, indicating their ability to adapt their modus operandi in response to law enforcement actions.

这一发展发生在区块链分析公司Chainalysis披露，拉萨鲁斯团伙已开始使用YoMix比特币混合器来洗钱，以洗清被盗赃款，这是继去年底关停Sinbad之后的举措，表明他们能够适应执法行动调整其作案手法。

"Sinbad became a preferred mixer for North Korea-affiliated hackers in 2022, soon after the sanctioning of Tornado Cash, which had previously been the go-to for these sophisticated cybercriminals," the company said. "With Sinbad out of the picture, Bitcoin-based mixer YoMix has acted as a replacement."

该公司表示：“Sinbad在2022年成为朝鲜相关黑客的首选混合器，这发生在此前一直是这些复杂网络犯罪分子的首选的Tornado Cash被制裁之后。随着Sinbad消失，基于比特币的混合器YoMix已成为替代品。”

The malicious activities are the work of a plethora of North Korean hacking units operating under the broad Lazarus umbrella, which are known to engage in an array of hacking operations ranging from cyber espionage to cryptocurrency thefts, ransomware, and supply chain attacks to achieve their strategic goals.

这些恶意活动是朝鲜许多黑客单位在广泛的拉萨鲁斯保护伞下进行的，这些黑客单位以从网络间谍到加密货币盗窃、勒索软件和供应链攻击等一系列黑客行动而闻名，以实现其战略目标。

原文始发于微信公众号（知机安全）：朝鲜黑客持续对全球国防公司发起网络攻击