Hackers with believed ties to the North Korean government have taken to targeting defense contractors working with the United States government, according to security researchers.

Network and enterprise security company Palo Alto Networks released new research Monday that suggested Lazarus Group, a collective of hackers who are often linked to North Korea, are behind a number of cyber attacks aimed at defense industry companies.

STRUCTURE SECURITY -- USE THIS ONE
Newsweek is hosting a Structure Security Event in San Francisco, Sept. 26-27. Newsweek Media Group

According to researchers at Palo Alto Networks, a number of attacks have been carried out by a threat group utilizing the same tools and techniques used by Lazarus Group. The attacks have been ongoing through July and are likely still active.

The most recent activity from the group includes launching weaponized Microsoft Office Document files, which are laced with malicious files that can infect a victim’s computer if they download and open the document.

The fake documents target English speakers—a shift from the prior attacks that targeted Korean language speakers—and are designed to appear as job descriptions or internal policy documents from U.S. defense contractors.

One of the documents spotted by Palo Alto Networks included a job description for a mechanical integration engineering manager. Another contained an exact copy of a job posting—including typos and other errors—posted by a contractor.

While the documents have changed, Palo Alto Networks’ researchers found the attack itself, including the malicious payload attached to the fake files, is essentially the same as one targeting South Korean victims earlier this year. The researchers said the threat actors behind the attacks are “reusing tools, techniques, and procedures which overlap throughout these operations with little variance.”

“Through analysis of malicious code, files, and infrastructure it is clear the group behind this campaign is either directly responsible for or has cooperated with the group which conducted Operation Blockbuster Sequel and, ultimately, Operation Blockbuster,” the researchers wrote, referencing the 2014 hack of Sony Pictures that was attributed to Lazarus Group.

Because the malicious actors have not changed their approach despite public discovery, Palo Alto Networks said it expects the attacks are likely to continue. Luckily, security program can identify the malicious files and potentially cease the spread of the attacks if a system is properly protected.

The continued activity from the hacking group comes weeks after researchers in South Korea found North Korean hackers have expressed more interest in financial gain in recent hacks rather than stealing state secrets or wreaking havoc in the affairs of other nations.

Earlier this month, a number of malware campaigns targeting organizations in North Korea were discovered. The campaigns were believed to be launched in response to the isolated nation’s recent successful test launch of an intercontinental ballistic missile (ICBM) and other advancements in its nuclear weapons programs.

The attacks began just days after North Korea tested its ICBM. Cisco’s cybersecurity firm Talos Intelligence said the campaign appeared “directly related to the launch and the ensuing discussion of North Korean missile technology.”