A group of North Korean state-sponsored cyber actors, codenamed Kimsuky, are being blamed for the compromise Diehl Defence, a German missile and ammunition manufacturer.
According to researchers, Kimsuky deployed a clever phishing campaign supported by advanced social engineering tactics that targeted Diehl Defence employees with fake job offers at U.S.-based defense contractors.
It is believed that Kimsuky conducted reconnaissance on Diehl Defence before initiating the campaign and took measures to ensure that malicious traffic blended in. For example, the group’s attack server contained the name “Uberlingen,” likely a reference to Diehl Defence’s location in Überlingen, Germany.
Diehl Defence specializes in the production of missiles and ammunition, including the Iris-T short-range air-to-air missile system, ordered by South Korea in October 2023.
Source: Bleeping Computer
Analysis
The targeting of Diehl Defence is in line with North Korea’s intelligence requirements. The country would be highly interested in the missile system’s battlefield capabilities and limitations, especially since it is soon to be deployed by South Korea. North Korea could also potentially use stolen data to manufacture its own clone of the missile. Finally, information regarding the missile could be sold or shared to other nations, such as Russia, whose air force has been on the receiving end of Ukrainian Iris-T missiles since they were provided by Germany in 2022.
North Korea state-sponsored hackers have a long track record of leveraging job-themed attack vectors to compromise targets of interest. For example, in September 2024, another North Korean hacking group called Lazarus was observed tricking potential job seekers into completing a malware-laced coding test and using a job-themed attack vector to target job seekers in the energy and aerospace industry.
The group was also observed using AI tooling to change one member’s appearance during video interviews, duping cybersecurity company KnowBe4 into hiring the threat actor. Fortunately, the company caught on to the scam when the new employee installed malware on their company-issued laptop. KnowBe4 then contacted the FBI, who advised that the employee in question was a North Korean state-sponsored threat actor.
In general, sensitive information obtained through compromising organizations in the defense, aerospace, and energy sectors helps enable North Korea to develop its own nuclear energy and weapons programs. It’s highly likely North Korea will continue engaging in malicious cyber activities as long as it maintains its ambition in developing these programs.
Mitigation
Field Effect’s Security Intelligence team constantly monitors the cyber threat landscape for threats from advanced cyber actors engaging in malicious activities, including Kimsuky. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the risk these groups pose.
Field Effect MDR users are automatically notified when various types of malicious activities are detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect recommends scrutinizing job application invites sent via email, messaging services such as WhatsApp, and social media. Take into consideration that the individuals contacting them could be fake, and always make efforts to verify the recruiter’s identity and association with the company they claim to represent. Generally, if an offer is too good to be true, it probably is.
Field Effect users are encouraged to submit suspicious emails, including job offers, to Field Effect’s Suspicious Email Analysis Service (SEAS) to ensure they are benign before clicking links or opening an attachment.
Related Articles
