A joint security advisory from the BfV and NIS dated February 19, 2024 provides information on North Korean cyber espionage activities against the defense industry. North Korea focuses on stealing advanced defense technologies to strengthen its military.
The note contains tactics, techniques, procedures (TTPs) and indicators of compromise (IoCs) of the DPRK. It describes two cases of cyberattacks: a supply chain attack on a research center and social engineering attacks by the LAZARUS group. The recommendations emphasize preventive measures and raising awareness of such threats in the defense industry and other sectors.
The security advisory describes two main types of cyberattacks by North Korean actors:
Supply chain attack on a defense industry research center
- A North Korean cyber actor penetrated the network of a marine and maritime technology research center by first compromising a service provider responsible for maintaining the center’s web server.
- The attacker used legitimate programs to download malicious files from command-and-control (C2) servers, including a tunneling tool and a Base64-encoded Python script.
- There was lateral movement on the network through SSH connections to other servers at the research center, where network packets were captured and login credentials stolen.
- The attacker obtained the credentials of a security manager and attempted to distribute a malicious patch file via the research center’s patch management system (PMS).
Social engineering attacks by the LAZARUS group
- LAZARUS used social engineering, a non-technical method that exploits human trust and other psychological aspects to obtain sensitive data.
- The process began with the creation of fake or stolen profiles on online job portals that looked like those of a headhunter.
- LAZARUS specifically searched for employees of defense companies with access to valuable resources and established contact with them via job portals.
- The attacker tried to persuade employees to change their communication platform (e.g. WhatsApp, Telegram, Skype) and then sent malicious files, often disguised as job offers or information about a position.
- In some cases, programming tasks were sent as part of the supposed recruitment process, which installed malware when executed. In other cases, manipulated VPN clients were used to infiltrate the company network.
These tactics demonstrate the advanced and diverse methods used by North Korean cyber actors to carry out targeted attacks and circumvent security measures.
Security measures and best practices against social engineering attacks
In order to effectively combat social engineering attacks, the joint security notice from the BfV and NIS recommends various measures and best practices:
- Regular information for employees: It is important to keep employees continuously informed about the latest developments in cyber attacks. This increases understanding of the methods used by cyber actors and enables a rapid response in the event of an intrusion into company systems.
- Restricting access rights: When using remote maintenance and repair services, access rights should only be granted for the necessary systems. Careful authentication before assigning user authorizations and privileges is essential.
- Audit logs: Companies should keep audit logs and check them regularly in order to identify and analyze unusual access.
- Patch Management System (PMS): A suitable PMS procedure should be established to verify user authentications and implement appropriate verification and approval processes for the final distribution phase.
- Use of SSL/TLS: SSL/TLS should always be used when creating websites to prevent illegitimate access to critical data such as user information.
- Multi-factor authentication: Multi-factor authentication is recommended for employees working from home via VPN. Sensitive information such as one-time passwords (OTP) and authentication keys should be protected from being passed on to third parties.
- Education about social engineering methods: Employees should be educated about the most common methods of social engineering. This includes raising awareness of suspicious, password-protected documents or links and establishing a culture of error that encourages employees to report security incidents without fear of repercussions.
- Restrictive assignment of privileges: To minimize the risk of social engineering attacks, privileges and access rights to sensitive data should be assigned as restrictively as possible.
German Lawyer at Law Firm Ferner Alsdorf
I am a specialist lawyer for criminal law + specialist lawyer for IT law and dedicate myself professionally entirely to criminal defence and IT law, especially software law. Before becoming a lawyer, I was a software developer. I am an author in a renowned commentary on the German Code of Criminal Procedure (StPO) as well as in professional journals.
Our law firm specialises in criminal defence, white-collar crime and IT law / technology law. Note our activity in digital evidence in IT security and software law.
Our law firm specialises in criminal defence, white-collar crime and IT law / technology law. Note our activity in digital evidence in IT security and software law.
Latest posts by German Lawyer Jens Ferner (Criminal Defense & IT-Law) (see all)
- Liability of Companies in Phishing and CEO Fraud Incidents - 13. May 2025
- Domain Law in Germany - 10. May 2025
- Art Law in Germany - 10. May 2025