Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label North Korea cyberattack. Show all posts
Supply chain cyberattack
Cryptocurrency security breach Cyber Attacks Lazarus Group attack North Korea cyberattack Supply chain cyberattack

North Korea’s Lazarus Group Launches Global Supply Chain Attack Targeting Developers

 

North Korea’s notorious hacking collective, Lazarus Group, has orchestrated a large-scale supply chain attack, compromising hundreds of victims worldwide, according to cybersecurity researchers. The operation, named Phantom Circuit, remains active as of this month.

The group injected malicious backdoors into cloned versions of legitimate open-source software and developer tools, primarily targeting professionals in the cryptocurrency industry. These tampered projects were then distributed via platforms like GitLab, leading unsuspecting developers to download and execute the compromised code, effectively exposing their systems.

According to SecurityScorecard, which uncovered and analyzed the attack, the campaign has unfolded in multiple waves:
  • November 2024: 181 developers, mostly in the European tech sector, were targeted.
  • December 2024: The attack expanded to 1,225 victims, including 284 in India and 21 in Brazil.
  • January 2025: An additional 233 individuals were affected, with 110 in India’s technology sector alone.
The stolen data includes credentials, authentication tokens, passwords, and system information, posing severe security risks for organizations and individuals alike.

The hackers leveraged open-source repositories, particularly forking existing projects to insert malicious code. SecurityScorecard’s senior VP of research and threat intelligence, Ryan Sherstobitoff, noted:

"These are examples of code repos they host on GitLab, for example, which is a clone of legit software and they embed into Node.js obfuscated backdoor. The scary thing is that these developers will clone this code from git directly onto corporate laptops, we have seen this directly with two devs already. Basically, they can do it for almost any package."

Among the compromised repositories were:
  • Codementor
  • CoinProperty
  • Web3 E-Store
  • A Python-based password manager
  • Other cryptocurrency-related applications, authentication tools, and Web3 technologies
Once a developer unknowingly downloads the infected repository, the malware installs a backdoor, granting Lazarus Group remote access to the compromised device. The attackers then exfiltrate sensitive data and route it to North Korean command-and-control (C2) servers. This method of embedding malware into legitimate-looking software marks a tactical shift for Lazarus Group.

"This approach allows widespread impact and long-term access while evading detection," Sherstobitoff explained.

SecurityScorecard also linked this campaign to an earlier fake job offer scam, Operation 99, through which the group’s C2 servers, active since September 2024, were identified. These same servers were later repurposed for Phantom Circuit, facilitating malware deployment and data theft.

Despite these discoveries, key questions remain regarding how stolen data is processed and the infrastructure supporting these attacks. The investigation is ongoing
Read more »
Subscribe to: Posts (Atom)