North Korea’s Lazarus Group Breaches Drone Developers in 2023 Cyber-Espionage Campaign
Executive Summary
In March 2023, the Lazarus Group—an advanced persistent threat attributed to North Korea—successfully targeted three European companies in the defense sector involved in drone development. Leveraging Operation DreamJob, the attackers used social engineering tactics, including fraudulent job offers and a trojanized PDF reader, to gain initial access via phishing emails. The deployment of the ScoringMathTea remote access trojan enabled complete control over compromised systems, potentially allowing sensitive data exfiltration related to unmanned aerial vehicle (UAV) technology and manufacturing know-how. ESET researchers linked the attack to ongoing North Korean efforts to bolster domestic drone capabilities and noted the victims' support of military deployments in Ukraine.
The incident exemplifies the persistent and adaptive nature of sophisticated state-linked cyber-espionage campaigns targeting high-value defense technologies. As strategic competition and armed conflicts persist, such tactics have become more prevalent against organizations with intellectual property critical to national security.
Why This Matters Now
This attack highlights the ongoing and urgent risk of nation-state threats targeting defense supply chains, especially entities involved in drone and aerospace innovation. With geopolitical tensions rising, the exposure of advanced manufacturing knowledge increases risks not just to affected companies but also to allied military operations and national security ecosystems.
Attack Path Analysis
The Lazarus group initiated the attack with spear-phishing emails leveraging fake job offers, delivering a trojanized PDF reader to their targets. Following initial access, they executed a remote access trojan to gain higher privileges on compromised machines. The attackers used their foothold to move laterally through east-west network paths, targeting systems related to drone development. They established persistent command and control channels via the deployed RAT for ongoing management and tasking. Sensitive drone design and manufacturing data was then exfiltrated through covert outbound channels. The ultimate impact focused on unauthorized data theft that could compromise intellectual property and national defense supply chains.
Kill Chain Progression
Initial Compromise
Description
Attackers sent spear-phishing emails containing fake job offers and a trojanized PDF reader, which when opened, executed a dropper to establish initial foothold.
Related CVEs
CVE-2022-30190
CVSS 7.8A remote code execution vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) allows attackers to execute arbitrary code via maliciously crafted documents.
Affected Products:
Microsoft Windows – 7 SP1, 8.1, 10, 11, Server 2008, Server 2012, Server 2016, Server 2019, Server 2022
Exploit Status:
exploited in the wildCVE-2021-40444
CVSS 8.8A remote code execution vulnerability in Microsoft MSHTML allows attackers to execute arbitrary code via specially crafted Office documents.
Affected Products:
Microsoft Windows – 7 SP1, 8.1, 10, 11, Server 2008, Server 2012, Server 2016, Server 2019, Server 2022
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Spearphishing Link
Malicious File
Command and Scripting Interpreter
Process Injection
Web Protocols
Obfuscated Files or Information
Valid Accounts
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
ISO/IEC 27001:2022 – Information transfer policies and procedures
Control ID: A.13.2.1
NIS2 Directive (EU) 2022/2555 – Incident Handling and Business Continuity
Control ID: Art. 21(2) (d)(e)(f)
CISA Zero Trust Maturity Model 2.0 – Mitigate social engineering and initial access
Control ID: Identity Pillar – Phishing Resistant MFA
NYDFS 23 NYCRR 500 – Cybersecurity Program
Control ID: Section 500.02
PCI DSS v4.0 – Respond to security incidents
Control ID: 12.10
DORA (Regulation (EU) 2022/2554) – ICT Risk Management
Control ID: Article 10
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Defense/Space
Lazarus APT specifically targeted defense contractors manufacturing drone components for Ukraine operations, requiring enhanced zero trust segmentation and threat detection capabilities.
Aviation/Aerospace
Aircraft component manufacturers face sophisticated social engineering attacks targeting proprietary UAV technology, necessitating stronger egress security and anomaly response systems.
Industrial Automation
Metal engineering and automation companies are prime targets for state-sponsored espionage seeking manufacturing know-how, demanding encrypted traffic protection and visibility controls.
Computer Software/Engineering
Software development firms supporting defense applications require robust Kubernetes security and inline IPS protection against trojanized PDF readers and remote access trojans.
Sources
- North Korea’s Lazarus group attacked three companies involved in drone developmenthttps://cyberscoop.com/north-korea-lazarus-attacks-drone-companies/Verified
- North Korean Lazarus group targets the drone sector in Europe, likely for espionage, ESET Research discovershttps://www.eset.com/us/about/newsroom/research/north-korean-lazarus-group-targets-drone-sector-europe/Verified
- Lazarus group targets European drone makers in new espionage campaignhttps://www.csoonline.com/article/4078672/lazarus-group-targets-european-drone-makers-in-new-espionage-campaign.htmlVerified
- North Korean hackers target European defense firms with dream job scamhttps://www.techradar.com/pro/security/north-korean-hackers-target-european-defense-firms-with-dream-job-scamVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Comprehensive CNSF controls—such as zero trust segmentation, east-west traffic security, egress policy enforcement, and threat detection—could have blocked, contained, or rapidly detected this multi-stage attack. Segmenting workloads, controlling lateral movement, and tightly monitoring outbound flows would have severely limited Lazarus group’s ability to escalate privileges, pivot internally, and exfiltrate sensitive drone data.
Control: Threat Detection & Anomaly Response
Mitigation: Phishing-based activity and new malware execution would be rapidly detected.
Control: Zero Trust Segmentation
Mitigation: Restricts privilege escalation scope by limiting access based on identity and microsegmentation.
Control: East-West Traffic Security
Mitigation: Lateral movement attempts are blocked or logged for action by enforcing workload-to-workload security policies.
Control: Inline IPS (Suricata)
Mitigation: Known malicious C2 traffic is blocked and/or alerted on at the network edge.
Control: Egress Security & Policy Enforcement
Mitigation: Data exfiltration attempts are blocked or flagged by restricting outbound traffic to authorized domains and protocols.
Accelerated detection and incident response minimized impact to critical workloads.
Impact at a Glance
Affected Business Functions
- Research and Development
- Intellectual Property Management
- Supply Chain Operations
Estimated downtime: 14 days
Estimated loss: $5,000,000
Potential exposure of proprietary drone design schematics, manufacturing processes, and software source code.
Recommended Actions
Key Takeaways & Next Steps
- • Implement zero trust segmentation and workload-level access policies to tightly constrain lateral attacker movement.
- • Deploy advanced threat detection with behavioral anomaly response to surface early stages of phishing and remote access tooling.
- • Enforce strict east-west and egress controls, including policy-driven outbound restrictions and real-time monitoring for unusual data transfers.
- • Leverage inline IPS and signature-based inspection at network perimeters and within cloud fabrics to block RAT C2 and malware propagation.
- • Enhance multicloud visibility and centralized incident response to detect, investigate, and contain attacks targeting sensitive intellectual property assets.
