Lazarus Group targets cloud services and code repositories.
the cyberwire logoJul 22, 2023

DPRK cyber operators are targeting source code repositories; they've also worked against cloud services.

Lazarus Group targets cloud services and code repositories.

North Korean operators support the full spectrum of state interests, from conventional espionage to direct theft and fraud intended to redress Pyongyang's chronic financial shortfalls.

Impersonation and social engineering as initial points of access.

GitHub has discovered “a low-volume social engineering campaign that targets the personal accounts of employees of technology firms, using a combination of repository invitations and malicious npm package dependencies.” GitHub states, “We assess with high confidence that this campaign is associated with a group operating in support of North Korean objectives, known as Jade Sleet by Microsoft Threat Intelligence and TraderTraitor by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Jade Sleet mostly targets users associated with cryptocurrency and other blockchain-related organizations, but also targets vendors used by those firms.” The threat actor begins the attack by impersonating developers or recruiters with phony or compromised accounts on GitHub, LinkedIn, Slack, and Telegram. After establishing trust, the threat actor convinces the victim to collaborate on a GitHub repository. The victim clones and executes the repository, which contains malicious npm dependencies. GitHub notes that “[n]o GitHub or npm systems were compromised in this campaign.”

Why cloud services and code repositories are attractive targets.

North Korean operators has also been linked to a recent attack against JumpCloud--SentinelOne traced connections to Pyongyang through the attackers' infrastructure. HelpNet Security characterized the attack as aimed toward compromising downstream users, especially users in the cryptocurrency sector. JumpCloud yesterday confirmed that the damage was limited. As the company put it in a Thursday update, "Importantly, fewer than 5 JumpCloud customers were impacted and fewer than 10 devices total were impacted, out of more than 200,000 organizations who rely on the JumpCloud platform for a variety of identity, access, security, and management functions. All impacted customers have been notified directly." The targeting in both instances is suggestive of a trend.

Code reporsitories are growing as cloud usage increases. Ken Westin, Field CISO at Panther Labs, sees this as the key to understanding why attacks like this are likely to continue. "As organizations move to the cloud, they are also building custom applications, this makes source code repositories as GitHub a hot target, as attackers can inject malicious code that enables them to not only compromise one organization, but multiple."

And, of course, there are the usual Willie-Suttonesque reasons for criminal attention to code repositories. Erich Kron, security awareness advocate at KnowBe4, also thinks the attack is unsurprising. “Between the sheer amount of money available and the potential to steal intellectual property, it's no wonder groups like this have embraced cybercrime and social engineering the way they have. Interestingly, even with the highly advanced tools these groups use to infect computers and networks, the initial attacks often start with simple email phishing or another type of social engineering. Given the potential payout, groups such as this are willing to put time into building a relationship of trust with potential targets, allowing them a much higher success rate than with typical mass distributed social engineering attacks. It pays to be careful when downloading and installing any application from GitHub or even reputable app stores or websites, especially if you are in a financial or cryptocurrency field or handle sensitive and valuable information.”