North Korea-linked hackers target energy and aerospace companies in new espionage campaign

Avatar

A cyber-espionage campaign with links to North Korea is targeting companies in the energy and aerospace industries, according to new research from Mandiant.

The group behind the campaign, tracked as UNC2970, is likely linked to North Korea and overlaps with another Pyongyang-backed threat actor, TEMP.Hermit.

Researchers at the Google-owned cyber outfit uncovered UNC2970’s recent campaign in June 2024 and released their findings on Tuesday. The group was first identified in 2021 and has since targeted victims in the U.S., U.K., the Netherlands, Cyprus, Sweden, Germany, Singapore, Hong Kong and Australia.

According to the report, UNC2970 hackers engage with their victims via email and WhatsApp, posing as recruiters for prominent companies. They ultimately share a malicious archive purported to contain a job description in PDF file format.

The PDF file can only be opened with a trojanized version of the legitimate open-source document viewer, SumatraPDF, which delivers a backdoor named Mistpen via the Burnbook launcher.

Researchers noted that the hackers modified the open-source code of an older version of SumatraPDF for this campaign, and that the actual SumatraPDF service was not compromised.

UNC2970 relies on legitimate job description content to target, among others, victims employed in U.S. critical infrastructure sectors.

The Mistpen malware is a modification of a legitimate plugin for the Notepad++ open-source text and source code editor. The backdoor has been improved over time with new features and an added network connectivity check, which complicates sample analysis, researchers said.

Although Mandiant does not name the specific victims targeted in this campaign, researchers believe the hackers are likely aiming to reach senior- or manager-level employees.

“This suggests the threat actor aims to gain access to sensitive and confidential information typically restricted to higher-level employees,” researchers said. The hackers also tailor their malicious messages to better align with the victim’s profile, they added.

NewsNews BriefsNation-stateMalware
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

 

Total
0
Shares
Previous Post

Company listed on Shanghai stock exchange accused of aiding Chinese cyberattacks

Next Post

FBI says it recently dismantled a second major China-linked botnet

Related Posts

THN Cybersecurity Recap: Last Week’s Top Threats and Trends (September 23-29)

Hold onto your hats, folks, because the cybersecurity world is anything but quiet! Last week, we dodged a bullet when we discovered vulnerabilities in CUPS that could've opened the door to remote attacks. Google's switch to Rust is paying off big time, slashing memory-related vulnerabilities in Android. But it wasn't all good news – Kaspersky's forced exit from the US market left users with more
Avatar
Read More