A cyber-intelligence campaign targeting the aerospace and defence sectors to implement data capture of victims of vehicles for surveillance and data extraction may have been more complex than previously thought.
In attacks on the IP addresses of ISPs in Australia, Israel, Russia and defence companies based in Russia and India, an as yet undiscovered espionage tool called Torisma was used to secretly track its victims for further exploitation.
The early results of the July campaign, which McAfee investigators called the North Star of Operation, revealed the use of social media, fake spears and false job offers to mislead defense workers and gain a foothold in their organizations’ networks.
The attacks were attributed to the infrastructure and TTP (Technology, Tactics and Procedures) previously associated with Hidden Cobra, a generic term used by the U.S. government to describe all state-sponsored hacker groups in North Korea.
The trend continues: North Korea, a country subject to severe sanctions, uses its arsenal of threatening actors to support and fund its nuclear weapons program by launching malicious attacks on U.S. defense and space companies.
Although the initial analysis showed that the implants were intended to gather basic information about the victims in order to assess their value, the recent research on Operation North Star shows a degree of technical innovation that must be hidden from the public by compromised systems.
The campaign not only used legal labor data from popular U.S. defense companies to lure victims into opening malicious copies of phishing email attachments, but also hacked and authenticated websites in the United States and Italy – an auction house, a print shop and a computer support company – to host their command and control functions (C2).
Using these domains for C2 operations has probably allowed them to bypass some organizations’ security measures, as most organizations do not block trusted sites, according to McAfee researchers Christian Beek and Ryan Sherstibitoff.
In addition, the implant contained in Word documents is used in the first stage to evaluate the victim’s system data (date, IP address, user representative, etc.) by comparing it with a pre-defined list of target IP addresses for a second implant called Torisma, thus minimizing the risk of detection and exposure.
This specialized monitoring implant is used to run custom shellcode, in addition to actively monitoring new disks added to the system and connections to the remote desktop.
This campaign was interesting because there was a specific list of points of interest, and this list was reviewed before a decision was made to send a second implant or a 32- or 64-bit implant for further and more detailed follow-up, the researchers noted.
The progress of the implants sent by C2 was tracked and recorded in a log file, giving the enemy an idea of which victims were successfully implanted and which could be further monitored.