An espionage campaign from North Korea’s Lazarus Group that was previously uncovered by Google researchers has now turned its attention to chemical sector organizations in South Korea, according to a report from cybersecurity company Symantec.
One of them – Operation Dream Job – had been running since at least August 2020 and most recently targeted over 250 individuals working for 10 different news media, domain registrars, web hosting providers and software vendors.
The campaign saw hackers send emails claiming to come from recruiters at Disney, Google and Oracle with fake potential job opportunities. The emails contained links spoofing legitimate job hunting websites like Indeed and ZipRecruiter, according to Google Threat Analysis Group’s Adam Weidemann.
The Threat Hunter Team at Symantec said Operation Dream Job has now been expanded to target chemical and IT sector organizations in South Korea.
They were able to tie the activity to Operation Dream Job based on file hashes, file names, and tools that were observed in previous Dream Job campaigns.
The typical attack starts with a malicious link in an email and kicks off a chain of events that eventually allows the hackers to get into a system and move laterally within a network using Windows Management Instrumentation (WMI).
From The Shadows Emerges Knowledge