Google has outlined its efforts to stop two North Korean hacking groups from exploiting a Chrome zero-day vulnerability.
The problem was corrected by Google in February, but it had already been exploited for a month. At the time, Google stated that it was aware of reports that the Chrome bug CVE-2022-0609 was being exploited by hackers. In February, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a directive requiring federal agencies to patch the Chrome problem. The exploit kit was active from January 4, 2022, according to Google’s Threat Analyst Group (TAG).
The North Korean hacking groups that used this exploit, according to Google, are tied to Lazarus, the North Korean hacking outfit suspected of both the Sony Pictures hack and significant larceny via an attack on the SWIFT international bank-messaging system.
Researchers from other cybersecurity businesses have referred to the efforts of these groups as Operation Dream Job and Operation AppleJeus.
“We believe these groups are part of the same entity with a shared supply chain, which explains why they use the same exploit kit, but they each have their own mission set and employ different techniques.” According to TAG’s Adam Weidemann, “it’s possible that other North Korean government-backed attackers have access to the same exploit kit.”
“In line with our current disclosure policy, we are providing these details 30 days after the patch release.”
An exploit kit with various stages and components was used by the attackers. According to the security researchers, the attackers put links to the exploit kit behind hidden iframes that they embedded on both their own and hacked websites.
According to Google, the group has targeted firms in the news media, technology, cryptocurrency, and financial industries in the United States. It is possible that organizations in other countries were also targeted, according to the report.
One of the groups, according to Google, targeted 250 employees from ten businesses in the news media, domain registrars, web hosting providers, and software suppliers with false job offers in emails mimicking Disney, Google, and Oracle recruiters. The emails included links to counterfeit versions of Indeed and ZipRecruiter, two popular sites for recruiting tech talent in the United States.
North Korean hackers affiliated with Lazarus are thought to have stolen about $400 million in cryptocurrencies in 2021, according to blockchain analysis firm Chainalysis. In 2018, a UN panel of experts decided that its cryptocurrency hacks aided North Korea’s ballistic missile development.
The other gang, according to Google, used the same exploit kit to target over 85 users in the cryptocurrency and financial industries.
All identified URLs and domains were added to Google’s Safe Browsing service to safeguard consumers from future exploitation, and Google also sent government-backed attacker alerts to all affected Gmail and Workspace users notifying them of the behavior.
This week, Mandiant, which Google is buying for $5.4 billion, published a fresh report on North Korean hacking. According to the report, North Korea is copying China’s policy of enlisting hacking organizations to work for the government.
Lab 110, TEMP.Hermit, APT38, Andariel, and Bureau 325 are the Lazarus-linked hacker groups, according to Mandiant. They are part of the Reconnaissance General Bureau, North Korea’s foreign intelligence agency, which includes seven sub-organizations that handle operations, reconnaissance, foreign intelligence, South Korean relations, technology, and support.
Each gang is focused on a separate industry, gathering information from businesses about geopolitical events or stealing cryptocurrencies to increase revenue.
“TEMP.Hermit, APT38, and Andariel are most likely Lab 110’s subordinates. According to Mandiant experts, Lab 110 is most likely an extended and rearranged version of “Bureau 121,”
“The country’s espionage operations are thought to reflect the regime’s immediate concerns and priorities, which are likely currently focused on obtaining financial resources through crypto heists, targeting of media, news, and political entities, information on foreign relations and nuclear information, and a slight decline in the once rampant theft of COVID-19 vaccine research.” Information gathered during these efforts could be utilized to develop or manufacture internal products and strategies, such as vaccines, sanctions mitigations, and finance for the country’s weapons projects, among other things.”
