TEL AVIV – Israel claimed on Wednesday that it had countered a cyberattack by a North Korean-linked hacking group on its classified defense sector.
The Ministry of Defense said the attack was “in real time” and that there was no “damage or restriction” to their computer systems.
Security investigators at ClearSky, the international cybersecurity company that first exposed the attack, said the North Korean hackers hacked into the computer systems and probably stole a large amount of classified data. Israeli officials fear the data could be shared with North Korea’s ally, Iran.
The episode adds Israel to the list of countries and companies targeted by North Korea’s hacking unit, known by private security analysts as the Lazarus Group. U.S. and Israeli officials have said the Lazarus Group, also known as Hidden Cobra, is backed by Pyongyang.
U.S. federal prosecutors unmasked North Korean members of the Lazarus Group in a 2018 criminal complaint, saying the group was working on behalf of Lab 110, a North Korean military intelligence unit.
The complaint accused the group of playing a role in North Korea’s devastating ransomware attack in 2017, known as “WannaCry,” which paralyzed 300,000 computers in 150 countries; the $ 81 million cyber theft from Bangladesh; and the crippling cyberattack in 2014 by Sony Pictures Entertainment that resulted in the leak of executive emails and destroyed more than two-thirds of the studio’s computer servers.
Although the group’s track record has been mixed, North Korea’s growing army of more than 6,000 hackers has only become smoother and more familiar with time, according to US and British officials who follow the group.
In a report last April, officials from the State Department, the Department of Homeland Security, the Treasury Department and the FBI accused North Korea of using more and more digital resources to evade sanctions and generate revenue for its nuclear weapons program. The report also accused North Korea of buying its hackers to other cybercriminals and countries in what is known as “hacking for hire.”
An Israeli security official said there was concern that the stolen data was being used not only by North Korea but by Iran.
Israel has been fighting an impulsive cyber conflict with Iran in recent months. Israel said it was launching an April attack on its water infrastructure foil that officials said was aimed at increasing chlorine to dangerous levels because Israelis were quarantined at home with the coronavirus.
Israel, which accused Iran, paid back two weeks later with a cyberattack on an Iranian port that knocked its computers offline and provided miles-long shipping around the Iran Shahid Rajaee port facility in early May.
The North Korean attack on the Israeli defense sector began with a LinkedIn message last June, ClearSky researchers said. North Korean hackers posed as a Boeing headhunter sent a message to a senior engineer at an Israeli government company that produces weapons for the Israeli army and intelligence.
The hackers created a fake LinkedIn profile for the headhunter, Dana Lopp. There is indeed a real Ms. Lopp, a senior personnel recruiter at Boeing. They did not respond to a message Wednesday.
Ms. Lopp was one of several headhunters from leading defense and aerospace companies – including Boeing, McDonnell Douglas and BAE Systems – who mimicked North Korea’s hackers on LinkedIn.
After establishing contact with their Israeli targets, the hackers requested an email address or phone number to connect via WhatsApp or, to increase credibility, suggested switching to a live call. Some of the people who got the calls, and who approached ClearSky later, said that the other side jumped into English without an accent and sounded credible.
That level of boredom had not been previously demonstrated by Lazarus, the researchers said. Israeli officials speculated on Wednesday that North Korea may have outsourced some of its operations to native English speakers abroad.
At one point, the hackers asked them to send their targets a list of task requirements. That file contained invisible spyware that infiltrated the employee’s personal computer and attempted to crawl into classified Israeli networks.
ClearSky said the attacks, which began earlier this year, “succeeded, in our view, in infecting dozens of companies and organizations in Israel” and around the world.
The hacking campaign was a notable step up from an earlier attempt by North Korea to hack the Israeli defense sector last year. In 2019, ClearSky reported a somewhat clumsy attempt by Lazarus to break into the computers of an Israeli defense corporation by sending emails in broken Hebrew that were probably written with electronic translation. The emails immediately aroused suspicion and the attack was stopped.
The hackers of North Korea seem to be learning their lesson and in mid-2019 started using LinkedIn and WhatsApp to connect with a number of military industries in the West, attacks by air and defense companies in Europe and the Middle East. In August, a United Nations report said North Korean hackers used similar methods to track down officials of the organization and of the member states.
Boaz Dolev, the chief executive officer and owner of ClearSky, said that in the wake of these reports, the company began trying to attack Israeli defense companies. It soon found the fake LinkedIn profiles and messages of Lazarus to employees of Israeli defense companies.
ClearSky investigators discovered that in at least two cases, North Korean hackers had installed hacking tools on Israeli networks. The tool, known as a remote Trojan, has been used by North Korean hackers in previous cyberattacks on Turkish banks and other victims, stealing passwords and other data.
The successful installation was a red flag, researchers said, that North Korea made it further into the Israeli networks than officials let through.
“Lazarus of North Korea is once again demonstrating high capacity and originality in its social technology and hacking methods,” Mr Dolev said.
The better business security will be, he said, the more nation states and cybercriminals will personally try to target employees via social media and phishing attacks via email.
“Attackers are always looking for new vulnerabilities,” he said. The better the defenses, “the more attacks will focus on employees, their families, and equipment for home calculations.”
Ronen Bergman reported from Tel Aviv, and Nicole Perlroth from Palo Alto, Calif.
