North Korean hackers are expanding their efforts to break into U.S. defense and aerospace companies in a series of attacks dubbed “Operation North Star.”

Detailed Wednesday by researchers at McAfee Advanced Threat Research, the operation involves the use of a series of malicious documents containing job postings taken from leading defense contractors.

The documents, which typically contain job descriptions for engineering and project management positions for active defense contracts, are targeted to employees who may be interested in job opportunities. Once the document is opened, malicious code designed to gather data is installed in the background.

“The individuals receiving these documents in a targeted spear-phishing campaign were likely to have an interest in the content within these lure documents, as we have observed in previous campaigns, as well as some knowledge or relationship to the defense industry,” the researchers said.

The methodology isn’t new and similar campaigns have been seen in the past, but the researchers note that the implants and lure documents in this campaign are distinctly different, causing them to conclude that it is a distinct campaign in its own right.

Those behind the attack are using compromised services in Europe, with the domain mireene.com a common denominator in many. The domain name is linked to Hidden Cobra, a name given to various suspected North Korea hacking groups by the U.S. Intelligence Community but most commonly tied to the Lazarus Group.

Lazarus pops up like clockwork at least once a year with new hacking campaigns. In December it was a Linux hacking campaign, while in 2018 the hacking group was targeting banks and bitcoin.

Brandon Hoffman, chief information security officer and head of security strategy at cybersecurity form Netenrich Inc., told SiliconANGLE that Operation North Star has several interesting characteristics.

“While reviewing the tactics, techniques and procedures there is no doubt that it is a sophisticated and highly targeted campaign,” he said. “Breaking down the campaign to its simplest terms, the campaign used phishing techniques, word documents, DLLs and libraries for persistence and is still reliant on command-and-control for objective completion.”

Tom Pendergast, chief learning officer at cybersecurity and privacy education firm MediaPRO Holdings LLC noted that too often the point of entry for an attack is an employee. “That’s why social engineering attacks — especially spear-phishing attacks aimed at a particular kind of person — are so often capable of wreaking havoc within a compan,” he said. “Users at defense and aerospace companies must be especially skeptical of any contact — sadly, even to the point of paranoia — and have to take steps to verify the legitimacy of contacts.”

Photo: The Kremlin