The Lazarus Group, North Korea-linked Advanced Persistent Threat (APT) actor, appears to have expanded from cyber attacks aimed at stealing money to support the country’s struggling economy to campaigns targeting defence industry in order to steal highly sensitive information, according to a new report from Kaspersky.

The Lazarus group had been targeting the defense industry since early 2020 using a custom backdoor dubbed ThreatNeedle, which is able to move laterally through infected networks and extract confidential information. So far, this cyber-espionage campaign affected organizations in more than a dozen countries, Kaspersky said.

ThreatNeedle is an advanced cluster of the Manuscrypt malware (aka NukeSped) and is delivered via spear-phishing emails with COVID-19 related themes. The emails contain a malicious Microsoft Word attachment or a link to one hosted on company servers. To make phishing messages more believable, the hackers embellish them with personal information collected using publicly available sources.

The ThreatNeedle installer-type malware implants the next stage loader-type malware, which in turn executes the ThreatNeedle backdoor in memory. It can manipulate files and directories, gather system data, control and upd ate the backdoor, enter sleep/hibernation mode, and execute received commands.

Once gaining initial foothold, the attackers steal credentials and move laterally within the victim’s network in search of valuable assets.

“One of the most interesting techniques in this campaign is the group’s ability to steal data from both office IT networks (a network that contains computers with internet access) and a plant’s restricted network (one containing mission-critical assets and computers with highly sensitive data and no internet access). According to company policy, no information is supposed to be transferred between these two networks. However, administrators could connect to both networks to maintain these systems. Lazarus was able to obtain control of administrator workstations and then se t up a malicious gateway to attack the restricted network and to steal and extract confidential data from there,” the researchers wrote.

Kaspersky also discovered links between ThreatNeedle and DeathNote (Operation Dream Job) and Operation AppleJeus, two cyber operations previously attributed to Lazarus. In addition, ThreatNeedle also appears to be connected to the Bookcode cluster of activity.

“In recent years, the Lazarus group has focused on attacking financial institutions around the world. However, beginning in early 2020, they focused on aggressively attacking the defense industry. While Lazarus has also previously utilized the ThreatNeedle malware used in this attack when targeting cryptocurrency businesses, it is currently being actively used in cyberespionage attacks,” the researchers noted.