North Korea Attacks United States…with Spear Phishing
Quick Answer
Prevailion researchers tracked an ongoing North Korea-linked spear-phishing campaign called Autumn Aperture targeting US firms involved with nuclear deterrence, North Korea's nuclear submarine program, and economic sanctions. Victims receive booby-trapped, legitimate-looking documents the recipient was likely expecting. Newer features include host enumeration, password-protecting attached documents to slow inspection, and Windows Management Instrumentation (WMI) checks that compare running processes and services against a list of known antivirus products to decide whether to fetch the next-stage payload. The takeaway: organizations holding sensitive intellectual property need real-time link click protection at the email layer, because user inspection won't catch this level of targeting.
The wars of the future won’t be fought with bombs and planes they’ll be fought with 1s and 0s. And while the U.S. is worried about North Korea getting nuclear weapons, it should be more worried about their cyberattacks.
The latest salvo from North Korea is a spear-phishing attack targeting U.S. firms “with an interest in nuclear deterrence, North Korea’s nuclear submarine program and North Korean economic sanctions.” Apparently this is an ongoing malware campaign aimed at U.S. companies.
“The campaign, which researchers from Prevailion call ‘Autumn Aperture‘ sends victims trojanized documents via spear-phishing emails. The campaign is highly sophisticated, using legitimate documents that the targets were likely expecting, which have been booby-trapped.”
If North Korea does gain nuclear secrets, you can be sure it’s due, at least in part, to its ability to steal secrets using spear phishing attacks. And according to the report, the latest spear phishing emails are pretty advanced. For example, “One newly added feature would enumerate the host machine and experiment with password-protecting certain documents. Autumn Aperture also added a new feature called Windows Management Instrumentation (WMI) — the infrastructure for management data and operations on Windows-based operating systems – to determine if it was safe to obtain the next payload on the host machine. It did this by obtaining a list of running processes and services from WMI, then comparing that output to a list of known antivirus products.”
Deploying cloud-based email security with real-time link click protection is important for all companies, but it’s especially important for companies with nuclear secrets. The only way to combat these advanced phishing tactics is with technology that’s prepared to sniff it out.
Whether you work for an organization with nuclear secrets or not, you should strongly consider protecting your employees with technology like that with Advanced Threat Defense. It protects employees from malicious emails 24/7 on any device.
General Manager
General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.
Secure your email infrastructure
Protect, authenticate, and deliver. Contact our team to find the right solution.