South Korean APT uses five zero-day flaws to turn the tables on North Korea
The group, linked to South Korea, used bugs in Internet Explorer, Google Chrome and the Windows Kernel to target North Koreans
An unidentified but sophisticated group of hackers used at least five zero-day vulnerabilities last year to target individuals inside North Korea or professionals working on DPRK-related issues.
That's according to Google's Threat Analysis Group (TAG), which analysed nearly 40,000 warnings relating to nation-state hack attacks in 2019, and was surprised to see the activities of one single actor that carried out some highly sophisticated attacks targeting North Korean professionals.
To conduct this espionage campaign, threat actor capitalised on five zero-day vulnerabilities that impacted Internet Explorer, Google Chrome, and Windows Kernel.
"Finding this many zero-day exploits from the same actor in a relatively short time frame is rare," the researchers noted.
The flaws were exploited using phishing emails containing malicious attachments or links to rogue websites. Hackers also used watering hole attacks to infect victims' system with malware when victims visited some legitimate but compromised websites.
While Google did not specify the identity of the threat group behind the campaign, some security experts believe it could the work of South Korea-backed hackers.
Russian security firm Kaspersky linked the cyber campaign to DarkHotel, a group that has previously targeted North Korean government agencies and is thought to be sponsored by the South Korean government.
"It's really impressive. It shows a level of operational polish," Kaspersky told Wired.
Kaspersky said that it has previously observed DarkHotel exploiting two of the five vulnerabilities - one in Internet Explorer and one in Windows - to plant malware on the systems of potential targets.
DarkHotel group is believed to be active since at least 2007, and in 2014, Kaspersky researchers spotted the group compromising hotel Wi-Fi networks in efforts to carry out attacks against specific hotel guests.
The group is mostly interested in collecting information such as emails, documents, and other bits of sensitive data from targets.
"The DarkHotel's main purpose is a sophisticated cyber-espionage campaign aimed at corporate executives: CEOs, senior vice presidents, sales and marketing directors, and top R&D staff have all been targeted," Kaspersky notes.
In another finding, Google said that it noticed a spike in phishing attacks impersonating news outlets and journalists in 2019. In many cases, the primary intention of the attackers was to spread disinformation through other reporters.
Google said that attackers first sent benign emails in hopes of building a rapport with a foreign policy expert or a journalist, before sending a follow-up email with a malicious attachment.
More on Hacking
Maze ransomware group claims to have encrypted Chubb cyber insurer's systems
Chubb rejects the ransomware pgroup's claim, however, saying its network is fully operational
Cyber security experts collaborate to block coronavirus-related cyber campaigns
The new group includes professionals from technology firms like Amazon and Microsoft
Tupperware accused of ignoring warnings over ecommerce website compromised by web-skimming JavaScript
Tupperware finally gets round to cleaning its ecommerce site days after being told that it had been compromised by a credit-card-stealing Magecart group
Surge in attacks from China-linked APT41 targeting unpatched Citrix servers and Cisco routers
APT41 attacks carried out between January and March targeted unsecured Citrix NetScaler servers and Cisco routers
Spanish hospitals targeted with coronavirus-themed phishing lures in Netwalker ransomware attacks
Groups behind Netwalker switched phishing baits to coronavirus last week - as other ransomware groups pledged to avoid medical facilities
Most read
