Above-average salaries, varied tasks, and excellent career opportunities make Lockheed Martin Corporation one of the most attractive employers in the United States. So, if a job offer from the sought-after employer lands in someone’s personal inbox, only a few of those chosen to receive the email would refrain from taking a look at it.
This is precisely the calculation of one of the most notorious hacker groups in recent years: Lazarus, a cybercrime organization linked to the North Korean state, has now been revealed as sending fake job offers from Lockheed Martin to compromise its victims’ computers.
Sophisticated APT attack on selected targets
Also known as Guardians of Peace or Whois Team, Lazarus has been attacking companies, organizations, and government agencies around the world since 2009 with a high level of technical expertise and presumably state support. One of the most well-known might be the WannaCry ransomware attack of 2017, which affected around 200,000 computers in 150 countries and caused around USD 4 billion in damages.
The techniques used by the Lazarus criminals are as sophisticated as they are insidious. While one of the first known crypto worms was used in the case of WannaCry, this particular attack is known as an advanced persistent threat, or APT for short. The door opener is the supposed job offer, which is sent to a specific group of people as a spear phishing email. It contains malicious scripts that infect the systems of those affected and then spread gradually to gain even greater access in order to transfer data to their own systems.
Not smart enough for Acronis Cyber Protect
Because APTs are often able to modify code autonomously and continuously—covering their tracks as much as possible—they are very difficult to detect. In this case, the Windows Update client was manipulated and a malicious DLL was executed, preventing a security alert from being triggered.
However, APT attacks can be detected and blocked using behaviour-based technology and artificial intelligence that identify unusual activity. As soon as such a behavioural anomaly is registered, malicious script execution is immediately stopped and the malware has no chance of taking hold in the system. And that is exactly what happened in the case of the fake Lockheed Martin job offers. Computers targeted by the attack but secured by Acronis Cyber Protect received the following message:
Learn more about Acronis Cyber Protect and its unique technology here.