Google: We stopped these hackers who were targeting job hunters and crypto firms

Google and Mandiant detail North Korea's efforts to organize its offensive cyber capabilities within the government.
Written by Liam Tung, Contributing Writer

Google has detailed its work to thwart not one but two North Korean hacking groups using a Chrome zero-day bug.

Google patched the bug in February but it was being exploited a month earlier. At the time, Google said it knew of reports that hackers were exploiting the Chrome bug CVE-2022-0609. The US Cybersecurity and Infrastructure Security Agency (CISA) mandated federal agencies to patch the Chrome bug in February. Google's Threat Analyst Group (TAG) says the exploit kit was being actively deployed from January 4, 2022. 

According to Google, the North Korean hacking groups who were using this exploit are linked to Lazarus, the North Korean hacking group accused of both the Sony Pictures hack and massive theft via an attack on the SWIFT international bank-messaging system. 

SEE: This sneaky type of phishing is growing fast because hackers are seeing big paydays

These groups' work have been referenced by researchers at other cybersecurity firms as Operation Dream Job and Operation AppleJeus.

"We suspect that these groups work for the same entity with a shared supply chain, hence the use of the same exploit kit, but each operate with a different mission set and deploy different techniques. It is possible that other North Korean government-backed attackers have access to the same exploit kit," said TAG's Adam Weidemann in a blogpost.  

"In line with our current disclosure policy, we are providing these details 30 days after the patch release." 

The attackers made use of an exploit kit that contained multiple stages and components. The attackers placed links to the exploit kit within hidden iframes, which they embedded on both websites they owned as well as some websites they compromised, according to the security researchers.

The group has targeted US organizations in news media, tech, cryptocurrency and fintech sectors, according to Google. Organizations in other countries may have been targeted too, it notes.  

According to Google, one of the groups targeted 250 people from 10 organizations in news media, domain registrars, web-hosting providers and software vendors with bogus job offers in emails impersonating recruiters from Disney, Google and Oracle. The emails contained links to spoofed versions of Indeed and ZipRecruiter — two popular sites used in the US for recruiting tech talent.   

Blockchain analysis firm Chainalysis estimates that North Korean hackers linked to Lazarus stole nearly $400 million worth of cryptocurrency in 2021. A United Nations panel of experts in 2018 concluded that its cryptocurrency hacks contributed to North Korea's ballistic missile programs.

Google says the other group targeted over 85 users in cryptocurrency and fintech industries using the same exploit kit.

Once they were discovered, all identified websites and domains were added to Google's Safe Browsing service to protect users from further exploitation, and Google also sent all targeted Gmail and Workspace users government-backed attacker alerts notifying them of the activity. 

Mandiant, which Google is buying for $5.4 billion, also released a new report this week on North Korean hacking. It says North Korea is borrowing China's strategy of corralling hacker groups to work within the government.   

Mandiant identifies the Lazarus-linked hacking groups as Lab 110, TEMP.Hermit, APT38, Andariel, and Bureau 325. They operate under North Korea's foreign intelligence agency, the Reconnaissance General Bureau, which has seven sub-organizations that handle operations, reconnaissance, foreign intelligence, relations with South Korea, technology, and support. 

Each group is specialized to target different industries and gather intelligence from organizations about geopolitical events or raise revenues through cryptocurrency theft. 

"TEMP.Hermit, APT38, and Andariel are likely subordinate to Lab 110. Lab 110 is likely an expanded and reorganized version of "Bureau 121," Mandiant researchers said.

"The country's espionage operations are believed to be reflective of the regime's immediate concerns and priorities, which is likely currently focused on acquiring financial resources through crypto heists, targeting of media, news, and political entities, information on foreign relations and nuclear information, and a slight decline in the once spiked stealing of COVID-19 vaccine research. Information collected in these campaigns will possibly be used to develop or produce internal items and strategies, as in vaccines, mitigations to bypass sanctions, funding for the country's weapons programs, and so on."

Editorial standards