Symantec threat hunters have discovered evidence that North Korea’s Lazarus APT gang is targeting chemical businesses in an ongoing cyber-espionage operation that involves phony employment offers and devious social engineering. Lazarus, a state-backed threat actor, has carried off some of the largest cryptocurrency heists ever witnessed. But, the new targeting of chemical and IT industries in South Korea shows a move beyond big-game financial crime.
The newest Lazarus finding was provided by Symantec’s threat intelligence team, who observed that this is a continuation of a malware campaign known as Operation Dream Job, which was previously connected to the renowned North Korean hacker gang. Technical information and IOCs (indicators of compromise) on the current malware attacks were released by the corporation, along with a warning to worldwide businesses.
“The Lazarus group is likely targeting organizations in the chemical sector to obtain intellectual property to further North Korea’s own pursuits in this area. The group’s continuation of Operation Dream Job suggests that the operation is sufficiently successful. As such, organizations should ensure they have adequate security in place and remain vigilant for attacks such as this,” said the company.
The Lazarus warning from Symantec comes on the very day the US government announced a $5 million prize for information about North Korean sanctions-busting efforts. The US government has also formally blamed Lazarus hackers for the $600 million Ronin cryptocurrency theft and slapped penalties against the Ethereum address that received the stolen assets.
The massive robbery, which involved the theft of 173,600 Ether (ETH) and 25.5 million USD Coins from the Ronin cross-chain bridge, is the 2nd most significant crypto theft. North Korean hacker gangs have been actively attacking cryptobanks and cryptocurrency exchanges. They have lately been targeting offensive security experts and posing as a phony pen-testing firm in social engineering attacks. The APT gang has also been found spreading zero-day web browser vulnerabilities.