North Korean Hackers Target Israeli Defense Companies

North Korean hackers launched attacks against Israel’s defense sector, according to a new report from ClearSky, a private cybersecurity company. The hackers likely sought to uncover military secrets essential to South Korea’s development of a missile defense system that resembles Israel’s Iron Dome.

ClearSky dubbed this North Korean cyber campaign “Operation Dream Job” because the hackers used fake job postings and advanced social engineering tactics to convince their targets to download malware-laden documents. The report concluded that the hackers targeted numerous defense companies not just in Israel but also throughout the Middle East. The Israeli government claimed the hackers failed, yet ClearSky’s assessment found that the attackers likely stole a large amount of classified data.

The report noted that Israeli defense companies prevented similar North Korean attacks last year when hackers sent emails with poorly translated Hebrew. The hackers learned their lesson. This time, they used LinkedIn and WhatsApp to lure and entrap their victims to install remote access trojans, which are computer viruses that steal passwords and other information.

The report determined that the hackers improved their social engineering ploys through extensive reconnaissance work to create realistic but fake recruiter profiles on LinkedIn. Additionally, the hackers demonstrated improved English-language skills. Not only were the hackers convincing over email and online messaging apps, but they spoke with victims by phone to sell the ruse.

ClearSky suggests “dozens of researchers and intelligence personnel” from North Korea may have helped the hackers upgrade their campaigns. It is possible that North Korea’s intelligence agency, the Reconnaissance General Bureau, which oversees North Korea’s malicious cyber operations, tasked its operatives who specialize in target reconnaissance or the English language to provide support to these hacking operations.

ClearSky determined that the hackers were likely motivated by financial gain, since the stolen data focused primarily on the target company’s activity and financial affairs. ClearSky also speculated that the hackers could sell the stolen data to Israel’s enemies, specifically Iran, for profit.

While this assessment aligns with U.S. government and UN findings that North Korean hackers support Pyongyang’s multifaceted sanctions evasion tactics by generating illicit income, it overlooks another significant potential motive: finding weaknesses in South Korea’s military capabilities.

Earlier this month, South Korea’s defense ministry announced it would develop a long-range artillery interceptor system based on Israel’s Iron Dome. While Operation Dream Job occurred before the announcement, Seoul’s military has debated the issue since 2013, and Pyongyang’s intelligence operatives were no doubt tasked with monitoring this kind of development.

An interceptor system would significantly boost South Korea’s ability to mitigate the threat from the North Korean military’s long-range artillery targeting the Seoul metropolitan area. Artillery serves as a critical component of North Korea’s asymmetric warfighting plan, and thus Seoul’s development of an Iron Dome-like system would undercut one of the few advantages Pyongyang’s military possesses. ClearSky did not specify which Israeli defense firms were hacked, and thus it is not known if the targeted firms are involved in Iron Dome.

If the hackers indeed targeted such companies, Operation Dream Job could have served as the first stage of a longer-term espionage operation. For instance, during the 2016 attack against the Bank of Bangladesh, hackers remained on the compromised networks for months to study the networks and understand how to manipulate their controls of the SWIFT financial messaging service, which ultimately enabled them to steal $81 million. It is not hard to imagine how hackers could leverage their access in one Israeli defense firm to gain access into the broader Israeli defense sector or possibly the defense sectors of other partner nations.

Operation Dream Job is a reminder that North Korea’s cyber operations are not localized, but rather pose a threat to U.S. allies around the globe. Countries such as Japan and Taiwan have for years been organizing multinational cyber exercises with the United States and other like-minded countries to simulate various cyber threats. Future exercises should expand the group of participating countries to include America’s most technologically and militarily advanced allies and partners, regardless of their geographic region. Washington need not wait for public confirmation of cooperation among its cyber adversaries to enhance offensive and defensive cyber cooperation between and among U.S. allies and partners.

Mathew Ha is a research analyst focused on North Korea at the Foundation for Defense of Democracies (FDD), where he also contributes to FDD’s Center on Cyber and Technology Innovation (CCTI). For more analysis from Mathew and CCTI, please subscribe HERE. Follow Mathew on Twitter @MatJunsuk. Follow FDD on Twitter @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.