South Korean APT uses five zero-day flaws to turn the tables on North Korea

The group, linked to South Korea, used bugs in Internet Explorer, Google Chrome and the Windows Kernel to target North Koreans

An unidentified but sophisticated group of hackers used at least five zero-day vulnerabilities last year to target individuals inside North Korea or professionals working on DPRK-related issues.

That's according to Google's Threat Analysis Group (TAG), which analysed nearly 40,000 warnings relating to nation-state hack attacks in 2019, and was surprised to see the activities of one single actor that carried out some highly sophisticated attacks targeting North Korean professionals.

To conduct this espionage campaign, threat actor capitalised on five zero-day vulnerabilities that impacted Internet Explorer, Google Chrome, and Windows Kernel.

"Finding this many zero-day exploits from the same actor in a relatively short time frame is rare," the researchers noted.

The flaws were exploited using phishing emails containing malicious attachments or links to rogue websites. Hackers also used watering hole attacks to infect victims' system with malware when victims visited some legitimate but compromised websites.

While Google did not specify the identity of the threat group behind the campaign, some security experts believe it could the work of South Korea-backed hackers.

Russian security firm Kaspersky linked the cyber campaign to DarkHotel, a group that has previously targeted North Korean government agencies and is thought to be sponsored by the South Korean government.

"It's really impressive. It shows a level of operational polish," Kaspersky told Wired.

Kaspersky said that it has previously observed DarkHotel exploiting two of the five vulnerabilities - one in Internet Explorer and one in Windows - to plant malware on the systems of potential targets.

DarkHotel group is believed to be active since at least 2007, and in 2014, Kaspersky researchers spotted the group compromising hotel Wi-Fi networks in efforts to carry out attacks against specific hotel guests.

The group is mostly interested in collecting information such as emails, documents, and other bits of sensitive data from targets.

"The DarkHotel's main purpose is a sophisticated cyber-espionage campaign aimed at corporate executives: CEOs, senior vice presidents, sales and marketing directors, and top R&D staff have all been targeted," Kaspersky notes.

In another finding, Google said that it noticed a spike in phishing attacks impersonating news outlets and journalists in 2019. In many cases, the primary intention of the attackers was to spread disinformation through other reporters.

Google said that attackers first sent benign emails in hopes of building a rapport with a foreign policy expert or a journalist, before sending a follow-up email with a malicious attachment.