North Korean Hackers Target Iris-T Missile Maker
North Korean hackers working for state-affiliated entities launched a cyberattack on the German defense company Diehl Defence, renowned for producing the guided Iris-T missiles. The hacker group Kimsuky, which has been highly active in recent times, attempted to breach the company’s systems using fraudulent job offers.
The attack was orchestrated as follows: the perpetrators sent emails to Diehl Defence employees containing fake documents, supposedly offering lucrative job opportunities from major U.S. defense contractors. These emails included PDF files that appeared to be official documents. The hackers anticipated that by opening these fake PDF files, the victims’ computers would be infected with malware, allowing them to spy on the users.
To conceal their presence, the hackers utilized a server whose name contained the word “Uberlingen,” which coincides with the name of the town on Lake Constance, where one of Diehl Defence’s offices is located. Additionally, fake login pages were discovered on the server, written in German and imitating the interfaces of popular services such as Telekom and GMX. The hackers hoped to deceive users into entering their login credentials, thereby gaining access to their accounts.
Mandiant’s North Korea expert, Michael Barnhart, noted that the hackers thoroughly researched German specifics before launching the attack. An analysis of their search queries confirms this deliberate preparation.
Diehl Defence manufactures, among other things, the Iris-T guided missiles, which are integrated into South Korea’s latest KF-21 fighter jets. This spring, the company announced the successful test launch of the missile. The company declined to comment on the specific details of the incident, stating only that all necessary measures are being taken to ensure security.
A representative from Germany’s Federal Office for Information Security (BSI) reported that the servers used in the attack were identified as early as May. According to BSI data, the attack on Diehl Defence is not an isolated case. As part of a campaign by the Kimsuky group, also known as APT43, other organizations in Germany have also been affected.
