North Korea’s new hack: stealing data via open-source code


Crypto was just the beginning. North Korea’s Lazarus Group is now embedding malware in trusted software, taking control of developer tools to steal data in the background.

North Korean hacking group Lazarus has plenty of exploits in their back-catalogue, especially the 600 million dollars they stole in cryptocurrency in 2023.

The group has switched to playing the long game in a software supply chain penetration operation named “Phantom Circuit,” according to SecurityScorecard researchers,

ADVERTISEMENT

The operation started earlier this month and has 233 notable victims so far, 100 of which were in India. The main targets seem to be cryptocurrency developers, tech companies, and individuals with open-source projects.

This marks the evolution from stealing cryptocurrency in short heists to playing the long game for more sustainable profits.

The Lazarus group has infiltrated groups like CoinProperty and Codementor through backdoored open-source software, which was cloned from legitimate projects and then embedded with malware.

The stolen data included credentials, authentication tokens, and passwords. The data is likely being used for intelligence gathering to boost North Korea’s geopolitical aims, the report claims.

Hackers used Gitlab, the cloud-based platform that helps developers manage their software development cycle, which means that drops can be made, and developers can install them unknowingly, as they commonly trust open-source packages.

The STRIKE security investigation team, through ScoreCard, found the command-and-control system they use to search, filter, and manage the data they steal. The stolen data is uploaded to Dropbox, where it can be hidden.

Lazarus re-route their traffic through Astrill VPN and Russian proxies, meaning that at first glance, there would be a geographical misplacement, and we would think Russia was responsible – not so.

By shifting their strategy to a more long-term one, Lazarus is becoming stealthier and more persistent. Long-term intelligence can be sought at a more sustainable level with this approach.

ADVERTISEMENT

Compared to past operations, whereby they targeted banks as far-reaching as Poland, Mexico and Bangladesh, a huge breach of the Sony corporations’s data infrastructure in 2014 and a huge cryptoworm attack called Wannacry, which hit global institutions like the NHS in the UK, and even Universities in China – this one is particularly perilous as it masquerades as an absolutely routine installation.

Developers need to strengthen supply chain security “by implementing rigorous code verification processes and network traffic monitoring,” the report states.

This is a prime example of the need to ramp up security further as these attacks become increasingly sophisticated.

Ernestas Naprys Konstancija Gasaityte profile Paulius Grinkevicius Paulina Okunyte
Don’t miss our latest stories on Google News