Recent cyberattacks targeting the heart of Europe’s defense sector have drawn attention to the persistent activities of North Korea’s Lazarus group. Three companies, with extensive involvement in the manufacture of drone components, found themselves compromised by a coordinated campaign intending to access valuable aerospace intelligence. While the true extent of data exfiltration is yet to be fully determined, the cyberattacks have highlighted vulnerabilities in organizations linked to military technology, especially unmanned aerial vehicles (UAVs). Security analysts and company officials are reviewing defenses as concerns grow over how advanced persistent threats are evolving techniques to access classified data for geopolitical advantage.
Earlier reports about Lazarus group’s activities primarily focused on financial thefts, such as cryptocurrency heists and banking breaches. In recent years, however, the group has broadened its tactics, increasingly targeting intellectual property within aerospace and defense, as seen in previous attacks on companies in India, Poland, the UK, and Italy. The recent events underscore a continuing trend where espionage is prioritized alongside financial motives, with a sharper focus on acquiring sensitive information relating to UAV technologies. Unlike other incidents, the latest attacks are connected to companies supplying equipment used in the ongoing Ukraine conflict, reflecting shifting operational objectives of the Lazarus group.
Which Companies Were Targeted and Why?
The three targeted organizations included a metal engineering firm, an aircraft component supplier, and a defense manufacturer, all based in Europe. These companies possess unique know-how surrounding drone hardware and software. Investigators believe North Korea sought insights to strengthen its domestic drone development capabilities, particularly as some of this technology is currently deployed in Ukraine, where North Korean soldiers are reportedly present alongside Russian forces.
How Did the Attackers Gain Unauthorized Access?
ESET researchers traced the activity to Operation DreamJob, an ongoing Lazarus campaign that deceives targets using fake job offers. Victims received emails containing a doctored job description and a trojanized PDF reader. This method, once executed, installed “ScoringMathTea,” a remote access trojan providing Lazarus with full control over compromised machines. ESET remarked,
“We believe that it is likely that Operation DreamJob was — at least partially — aimed at stealing proprietary information and manufacturing know-how regarding UAVs,”
emphasizing the strategic purpose behind the operation.
What Tools Did the Attackers Use?
According to ESET, the primary payload in these recent attacks was ScoringMathTea, a tool Lazarus has relied upon since 2022 for similar campaigns. The presence of a dynamic-link library dubbed “DroneEXEHijackingloader.dll” within malware droppers indicated a clear focus on UAV technology. ESET representatives observed,
“This predictable, yet effective, strategy delivers sufficient polymorphism to evade security detection, even if it is insufficient to mask the group’s identity and obscure the attribution process.”
This highlights the group’s finesse in refining methods while retaining recognizable techniques.
ESET has released technical indicators from these attacks to help other firms identify potential compromise. The company has warned that additional businesses in the drone supply chain may face similar threats, urging enhanced vigilance across the sector. The attacks add to mounting evidence that state-aligned actors are leveraging social engineering with customized malware to breach critical defense infrastructure.
Companies in the drone and defense sector increasingly face risks not just from typical cybercriminals but also from nation-state actors using targeted campaigns. As the Lazarus group prioritizes UAV technologies, the need for organizations to invest in better detection and staff awareness training has become apparent. The use of legitimate-seeming documents and advanced malware in these attacks demonstrates how sophisticated phishing remains a preferred approach for initial compromise. Sector stakeholders should collaborate, sharing threat intelligence, and regularly update security protocols, given the shifting tactics and interests of groups like Lazarus.
- North Korea’s Lazarus group targeted European defense firms for UAV data.
- Attackers deployed fake job offers and a trojanized PDF reader to gain access.
- Experts warn drone sector businesses to heighten security awareness and practices.
