Israel claimed Wednesday that it had thwarted a cyberattack by a North Korea-linked hacking group on its military industry. The Defence Ministry released a statement claiming the attack was deflected ‘in real time’ and that there was no ‘harm or disruption’ to its computer systems. However, this claim has been contradicted by experts familiar with the facts.
Security researchers at ClearSky, the international cyber-security firm that first exposed the attack, said the North Korean hackers penetrated the computer systems and were likely to have stolen a large amount of classified data. Israeli officials fear the data could be shared with North Korea’s ally, Iran.
The episode adds Israel to the list of countries and companies that have allegedly been targeted by North Korea’s hacking unit, known to private security analysts as the Lazarus Group. US and Israeli officials have claimed that the Lazarus Group, also known as Hidden Cobra, is backed by Pyongyang.
In 2018 US federal prosecutors claimed that the group of hackers was working on behalf of Lab 110, a North Korean military intelligence unit. The complaint they were investigating accused the group of playing a role in North Korea’s devastating 2017 ransom ware attack, known as ‘WannaCry’, which paralyzed 300,000 computers across 150 countries. They have also been accused of being behind the 2016 cyber-theft of $81 million from Bangladesh Bank; and the crippling 2014 cyber attack at Sony Pictures Entertainment that resulted in the leak of executive emails and destroyed more than two-thirds of the studio’s computer servers.
Though the group’s track record is mixed, North Korea’s growing army of more than 6,000 hackers has grown more sophisticated with time according to US and British officials tracking the group.
In a report published last April, officials at the State Department, the Department of Homeland Security, the Treasury Department and the F.B.I. accused North Korea of using its digital activities to evade sanctions and generate income for its nuclear weapons program. The report also accused North Korea of hiring out its hackers to other cybercriminals and countries in what has been called ‘hacking for hire’.
Israel has been fighting an escalating cyberconflict with Iran in recent months. Israel said it foiled a cyberattack on its water infrastructure in April. Two weeks later Israel launched a cyberattack against Iran’s Shahid Rajaee port facility that knocked its computers offline and temporarily disrupted shipping traffic.
With regard to the latest attack targeting Israeli’s defence industry, an Israeli security official said there was concern that the stolen data would be used not only by North Korea, but by Iran.
The operation began with a LinkedIn message last June, ClearSky researchers said. Hackers posing as a Boeing head hunter sent a message to a senior engineer at an Israeli government-owned company that manufactures weapons for the Israeli military and intelligence.
The hackers created a fake LinkedIn profile for the executive head hunter, Dana Lopp. Ms Lopp was one of several head hunters from prominent defence and aerospace companies — including Boeing, McDonnell Douglas and BAE Systems — whose accounts the hackers mimicked.
After establishing contact with their Israeli targets, the hackers asked for an email address or phone number to connect via WhatsApp or, to increase credibility, suggested switching to a live call.
At some point, the hackers asked to send their targets a list of job requirements. That file contained invisible spyware that infiltrated the employee’s personal computer and attempted to access classified Israeli networks.
ClearSky said the attacks, which started early this year, “succeeded, in our assessment, to infect several dozen companies and organizations in Israel” and around the globe.
The hacking campaign was a notable step up from a previous attempt to hack the Israeli military industry last year. In 2019, ClearSky reported a somewhat clumsy effort by Lazarus to break into an Israeli military corporation’s computers by sending emails in broken Hebrew that were likely written with electronic translation. The emails immediately aroused suspicion and the attack was stopped.
The hackers, thought to be from North Korea, appear to have learned their lesson and in mid-2019 began using LinkedIn and WhatsApp to establish contact with military complexes in the West, attacking aerospace and weapons companies in Europe and the Middle East.
ClearSky researchers said that in the latest attack North Korean hackers made it further into the Israeli networks than officials let on. They added that the better corporate security becomes, the more nation-states and cybercriminals will try to target employees’ directly via social media and email phishing attacks. LINK
MORE ON THE TOPIC:
- Open confrontation Israel and Hezbollah exchange fire across Lebanese border
- Israel reinforces troops near Golan Heights