North Korea's notorious hacking group Lazarus has launched sophisticated cyber attacks against nuclear industry employees, deploying a new malware called CookiePlus, according to research from Kaspersky.
The attacks, detected in January 2024, targeted at least two employees at an undisclosed nuclear organization as part of the group's ongoing "Operation Dream Job" espionage campaign.
The hackers used deceptive job recruitment tactics, approaching victims with fake employment opportunities at aerospace and defense companies. The scheme involved distributing trojanized versions of remote access tools like VNC software, supposedly for skills assessment purposes.
Once installed, the malicious VNC applications deployed multiple payloads including a backdoor called MISTPEN and ultimately the new CookiePlus malware. This modular malware masquerades as legitimate software plugins while secretly downloading encrypted payloads from command servers.
The attack chain showed sophisticated lateral movement capabilities, with the hackers spreading from one compromised host to others within the organization over several months. On infected systems, CookiePlus collected system information and maintained persistent access through stealthy operations.
Security researchers note that CookiePlus represents an evolution in Lazarus Group's toolkit, suggesting ongoing efforts to enhance their cyber capabilities and evade detection.
This campaign aligns with broader North Korean cyber operations in 2024, which have proven increasingly successful. According to Chainalysis, North Korean hackers stole $1.34 billion in cryptocurrency last year - more than double their 2023 haul of $660.50 million.
The targeting of critical infrastructure raises serious concerns about potential risks to critical infrastructure and sensitive technical information. Organizations in high-risk sectors are advised to maintain strong security measures and train employees to recognize sophisticated social engineering tactics.