North Korean Hackers Linked to Breach of German Missile Manufacturer

• Missiles and ammunition producer Diehl Defence was the target of a spear-phishing campaign.
• Social engineering tactics leveraging thorough reconnaissance involved fake job offers from U.S. defense contractors.
• The attackers are believed to be the North Korean state-sponsored APT43, also known as Kimsuky.

A sophisticated cyberattack successfully breached Diehl Defence, a prominent German missile manufacturer. The attack was attributed to the North Korean state-sponsored hacking group Kimsuky, also known as APT43, Velvet Chollima, Emerald Sleet, TA406, and Black Banshee, according to Der Spiegel.

The breach is particularly notable due to Diehl Defence's role in producing Iris-T air defense systems and its recent contract to supply them to South Korea. 

The advanced persistent threat (APT) group orchestrated a highly targeted phishing campaign, leveraging well-crafted social engineering tactics, to infiltrate Diehl Defence, according to the report.

The attackers conducted thorough reconnaissance on Diehl Defence, emphasizing their intent and capability to exploit specific vulnerabilities within the company's network.

APT 43 used malicious PDF files and spear-phishing emails masquerading as job offers from American defense contractors, aiming to deceive employees at Diehl Defence. Kimsuky’s attack infrastructure cleverly disguised itself by embedding references to "Uberlingen," aligning with Diehl Defence’s location in Southern Germany. 

The attackers also deployed convincing German-language login pages mimicking those of Telekom and GMX to harvest login credentials from unsuspecting users.

The U.S. government has already imposed sanctions on individuals associated with Kimsuky and issued advisories on the group’s techniques.

APT43, APT45, APT38, and Lazarus Group are all believed to be part of North Korea's Reconnaissance General Bureau (RGB). Known for supporting Pyongyang’s nuclear and strategic initiatives, Kimsuky has a history of targeting governmental and academic institutions across the United States, Europe, and Asia.

Recently, the North Korean cybercriminal group tracked as APT45 has been actively targeting critical infrastructure and military operations located in the U.S., trying to steal nuclear and military secrets from government facilities and agencies.

Spear-phishing campaigns have also targeted IT and Russian government organizations and institutions in Ukraine alike in recent months.