Google has discovered that hackers backed by the North Korean government are targeting the news media, IT, cryptocurrency, and fintech industries in the United States and around the world.
This article was written by Brendan Taylor and published by Insider Paper.
The Google Threat Analysis Group (TAG) discovered that two distinct North Korean government-backed attacker groups were attempting to exploit a remote code execution vulnerability in the Chrome browser.
“We suspect that these groups work for the same entity with a shared supply chain, hence the use of the same exploit kit, but each operate with a different mission set and deploy different techniques,” the company said in a blog post.
It’s possible that other North Korean government-backed attackers have access to the same exploit kit, according to the report.
In keeping with ‘Operation Dream Job,’ one campaign targeted over 250 people working for ten different news organisations, domain registrars, web hosting providers, and software vendors.
The targets received emails purporting to be from recruiters at Disney, Google, and Oracle, containing bogus job opportunities.
The emails contained links to bogus job-search websites such as Indeed and ZipRecruiter.
“Victims who clicked on the links would be served a hidden iframe that would trigger the exploit kit,” said Google.
Another North Korean group, dubbed ‘Operation AppleJeus,’ used the same exploit kit to target over 85 users in the cryptocurrency and fintech industries. A
At least two legitimate fintech company websites were compromised, and hidden iframes were hosted to serve the exploit kit to visitors.
“In other cases, we observed fake websites — already set up to distribute trojanised cryptocurrency applications — hosting iframes and pointing their visitors to the exploit kit,” Google informed.
All identified websites and domains were added to ‘Safe Browsing’ upon discovery to protect users from further exploitation.
“We also sent all targeted Gmail and Workspace users government-backed attacker alerts notifying them of the activity,” said Google.