INTRO: The US Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have claimed that North Korean state-sponsored hackers are using a remote access Trojan (RAT), dubbed BLINDINGCAN, to focus on American government contractors within the defense, aerospace and energy sectors. The apparent purpose of the attacks, which started earlier this year, is to collect intelligence about key military and energy technologies. The attacks had been detailed earlier by cyber-security firms, McAfee and ClearSky.
According to the United States government, all the documented attacks by these groups have a similar routine and use fake job postings from leading defense contractors to lure their unsuspecting victims. The attackers would, apparently, send spam mail containing malicious files (.docx or PDF documents) that might then deploy spyware within the victims’ machines. As per the report, the DLLs and XML documents examined by the CISA all either attempted to attach to external domains or tried to put in new DLLs that eventually deployed and ran the BLINDINGCAN malware.
“This campaign utilized compromised infrastructure from multiple countries to host its command and control (C2) infrastructure and distribute implants to a victim’s system. CISA and FBI are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity”, said the report.
North Korean hackers are the prime suspects for a series of attacks on United States government and company networks over the past few years, including notable ones, just like the cryptocurrency heists amounting to $571 million in 2017 and 2018. Following persistent attacks on US interests, the United States government last September issued sanctions against three North Korean state-sponsored hacking groups, called Lazarus, Bluenoroff and Andariel.