North Korean Threat Actors Target European Drone Makers

Researchers have identified a new wave of cybersecurity attacks against European drone makers by the Lazarus Group, a well-known and sophisticated threat actor group, allegedly sponsored by the North Korean government.

This campaign is the latest iteration of “Operation DreamJob,” a long running series of social engineering and malware operations, designed to exfiltrate proprietary information and manufacturing know-how.

Overview of the Attack

Reports allege that Lazarus Group targeted at least three European drone makers using fake job postings for high-profile roles at major defence and aerospace firms. While this campaign is different from the DPRK IT Worker scheme conducted by a different North Korean group, it leverages some similar social engineering tactics. Attackers lured employees to open a PDF “job description” which were infected with malware. Once the PDFs were opened, the malware deployed a remote access trojan capable of issuing a variety of commands, such as file manipulation, system reconnaissance, and payload execution. This type of malware provides persistent, interactive access to infected systems, enabling the theft of technical information and production data.

Reports suggest that the campaign was aimed at collecting intelligence on unmanned ariel vehicles (UAVs), otherwise known as “drones”. Specifically, the campaign targeted drone information that Ukraine is using in Russia, suggesting strategic interest in North Korea’s military modernisation efforts.

Key Takeaways

Elevated Threat Level: Entities involved in drone manufacturing, particularly those supporting Ukraine or are dual use, should assume heightened targeting risk from nation-state threat actors. Such attacks recently shutdown the entire operations of a major vehicle manufacturer in the United Kingdom for 5 weeks, which shows the real impact on manufacturing processes that an incident can achieve. To reduce the risk of compromise from similar campaigns, companies should focus on strengthening defences by (i) practising incident readiness, (ii) hardening email and document handling; (iii) securing open source and third-party software, (iv) enhancing identity, access and credential controls, and (v) continuing to raise overall employee and contractor awareness.

Reinforce Employee Awareness: Social engineering remains a primary entry vector. Organisations should consider refreshing their training around cybersecurity and phishing, as well as organisational discussions around comprehensive systems hardening efforts. This also includes reviewing incident response plans and conducting tabletop exercises. Comprehensive approaches to systems hardening are not a singular control but should be a cross-functional effort that considers technical defences, employee awareness, and supply chain vigilance.

Incident Reporting Obligations: In Europe, potential compromise can trigger both personal data related incident reporting and wider cyber incident reporting. Potential compromise of defence-related intellectual property carries additional reporting duties, which may heighten potential liability. In addition, many strategic suppliers or OEM contracts contain cyber incident reporting clauses. It is important to review third party requirements, ensuring timely notice to contractors, government agencies, and insurers.

Conclusion

Crowell & Moring is closely monitoring the details of this compromise as it unfolds. As these types of cybersecurity attacks grow more sophisticated and target sensitive industries, legal counsel can play a crucial role in helping organisations manage risk, ensure compliance, and respond effectively.

Our attorneys have deep experience in cybersecurity, privacy, aviation, government investigations, sanctions, and export controls, and are skilled at assisting in all stages of such matters, from risk assessments through internal investigations and remediation, disclosures to regulators, and civil and criminal defence.

For additional information, please contact our team.