The notorious North Korean state-sponsored hacking group Lazarus has launched a sophisticated cyber attack targeting IT professionals working in a nuclear-related organization. The attacks, detected in January 2024, involved two employees from the same company being targeted within weeks of each other.
The hackers deployed an elaborate scheme known as Operation DreamJob, where they created fake job opportunities and approached nuclear industry workers through social media platforms like LinkedIn and X (formerly Twitter). The attackers conducted multiple rounds of fake interviews, during which they secretly planted malicious software on the victims' systems.
During these recent attacks, Lazarus utilized remote access tools to deploy a backdoor malware called CookieTime. This allowed the hackers to execute commands on compromised computers and move deeper into the organization's network. The group then installed additional malware including LPEClient, Charamel Loader, ServiceChanger, and an updated version of CookiePlus.
Security researchers at Kaspersky identified CookiePlus as a new plugin-based malicious program that functions as a downloader with limited functionality. The malware was deployed through different methods depending on which loader was used.
This campaign appears to be a continuation of Lazarus Group's ongoing cyber operations that began in 2020. The group has a track record of targeting various sectors including defense, aerospace, and cryptocurrency companies. In 2022, they successfully stole approximately $600 million from a cryptocurrency firm.
The timing and sophistication of these latest attacks indicate that Lazarus Group remains an active and dangerous cyber threat, particularly to organizations in sensitive industries like nuclear power.