New Delhi, March 27 Google has discovered that North Korean government-backed hackers are targeting news media, IT, cryptocurrency and fintech industries in the US and globally.
The Google Threat Analysis Group (TAG) found that two distinct North Korean government-backed attacker groups were exploiting a remote code execution vulnerability in Chrome browser.
“We suspect that these groups work for the same entity with a shared supply chain, hence the use of the same exploit kit, but each operate with a different mission set and deploy different techniques,” the company said in a blog post.
It is possible that other North Korean government-backed attackers have access to the same exploit kit, it added.
One campaign, consistent with ‘Operation Dream Job’, targeted over 250 individuals working for 10 different news media, domain registrars, web hosting providers and software vendors.
The targets received emails claiming to come from recruiters at Disney, Google and Oracle with fake potential job opportunities.
The emails contained links spoofing legitimate job hunting websites like Indeed and ZipRecruiter.
“Victims who clicked on the links would be served a hidden iframe that would trigger the exploit kit,” said Google.
Another North Korean group, whose activity has been publicly tracked as ‘Operation AppleJeus’, targeted over 85 users in cryptocurrency and fintech industries leveraging the same exploit kit.A
This included compromising at least two legitimate fintech company websites and hosting hidden iframes to serve the exploit kit to visitors.
“In other cases, we observed fake websites — already set up to distribute trojanised cryptocurrency applications — hosting iframes and pointing their visitors to the exploit kit,” Google informed.
Upon discovery, all identified websites and domains were added to ‘Safe Browsing’ to protect users from further exploitation.
“We also sent all targeted Gmail and Workspace users government-backed attacker alerts notifying them of the activity,” said Google.