Pierluigi Paganini October 01, 2024

North Korea-linked APT Kimsuky has been linked to a cyberattack on Diehl Defence, a German manufacturer of advanced military systems.

North Korea-linked APT group Kimsuky has been linked to a cyberattack on Diehl Defence, a defense firm specializing in the production of advanced military systems.

Diehl Defence GmbH & Co. KG is a German weapon manufacturer headquartered in Überlingen. It operates as a division of Diehl Stiftung and specializes in the production of missiles and ammunition.

The German defense firm also produces Iris-T air-to-air missiles recently acquired by South Korea.

The Kimsuky APT group breached Diehl Defence through a sophisticated phishing campaign, reported the German newspaper Der Spiegel. The cyber attack was discovered by Google-owned cybersecurity firm Mandiant.

“Researchers from Mandiant, a Google subsidiary, uncovered and analyzed a cyberattack by the North Korean hacking group Kimsuky targeting Diehl Defence.” reported Der Spiegel. “The hackers used fake, lucrative job offers from U.S. arms suppliers to deceive Diehl employees. By clicking on a malicious PDF, victims would unknowingly download malware, allowing the hackers to spy on their systems.”

The attackers used fake job offers and specially crafted PDF files to target employees, luring them with offers of jobs at U.S. defense contractors. The experts believe that the attack is significant due to Diehl Defence’s role in manufacturing of missiles, ammunition, and other advanced military systems.

The hackers concealed their attack server using the name “Uberlingen,” referencing Diehl Defence’s location in Überlingen, Germany. The server hosted realistic, German-language login pages mimicking Telekom and GMX, likely aiming to steal login credentials from German users.

A spokesperson for Germany’s Federal Office for Information Security (BSI) confirmed that Kimsuky (aka APT43) is conducting a broader cyber campaign targeting Germany. The BSI confirmed that other German organizations have also been targeted as part of this ongoing campaign.

Kimsuky cyberespionage group (aka Springtail, ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, APT43) was first spotted by Kaspersky researcher in 2013. The APT group mainly targets think tanks and organizations in South Korea, other victims were in the United States, Europe, and Russia.

In 2023 the state-sponsored group focused on nuclear agendas between China and North Korea, relevant to the ongoing war between Russia and Ukraine.

In May 2024, Symantec researchers observed the North Korea-linked group Kimsuky using a new Linux backdoor dubbed Gomir. The malware is a version of the GoBear backdoor which was delivered in a recent campaign by Kimsuky via Trojanized software installation packages.

In December 2023, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions against the North Korea-linked APT group Kimsuky.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Kimsuky)