The North Korean state-backed hacker group Kimsuky (aka APT43) launched a sophisticated phishing campaign against German defense contractor Diehl Defense, which manufactures the IRIS-T air defense missile system. The attack, first reported by German news outlet Der Spiegel, was aimed at infecting the computers of Diehl employees with spyware.
According to security researchers from Google’s subsidiary Mandiant, Kimsuky used fake job offers, supposedly from major US defense firms, to lure their targets. Once employees opened the malicious attachments, they were redirected to a counterfeit website designed to infect their systems with malware. This allowed them to gain access to sensitive information.
In an attempt to evade detection, the hackers used a server named ‘Uberlingen,’ a name similar to Diehl’s location near Lake Constance in southern Germany. They also set up bogus web pages that mimicked popular German online services, such as Telekom and GMX, to make the phishing attempt appear more legitimate.
The Federal Office for Information Security (BSI) confirmed the attack, noting that it was part of a broader campaign by Kimsuky, which has been targeting various organizations in Germany.
Since May, BSI has been monitoring the suspicious network activities linked to this attack, and Diehl Defense is not the only company affected. Other German organizations are also believed to be under threat from this ongoing cyber campaign.