Latest Report Uncovers Supply Chain Attacks by North Korean Hackers

Supply Chain Attacks by North Korea

Lazarus Group, the advanced persistent threat (APT) group
attributed to the North Korean government, has been observed waging
two separate supply chain attack campaigns as a means to gain a
foothold into corporate networks and target a wide range of
downstream entities.

The latest intelligence-gathering operation involved the use of
MATA malware framework as well as backdoors dubbed BLINDINGCAN[1]
and COPPERHEDGE[2]
to attack the defense industry, an IT asset monitoring solution
vendor based in Latvia, and a think tank located in South Korea,
according to a new Q3 2021 APT Trends report[3] published by
Kaspersky.

Automatic GitHub Backups

In one instance, the supply-chain attack originated from an
infection chain that stemmed from legitimate South Korean security
software running a malicious payload, leading to the deployment of
the BLINDINGCAN and COPPERHEDGE malware on the think tank’s network
in June 2021. The other attack on the Latvian company in May is an
“atypical victim” for Lazarus, the researchers said.

It’s not clear if Lazarus tampered with the IT vendor’s software
to distribute the implants or if the group abused the access to the
company’s network to breach other customers. The Russian
cybersecurity firm is tracking the campaign under the DeathNote
cluster.

That’s not all. In what appears to be a different
cyber-espionage campaign, the adversary has also been spotted
leveraging the multi-platform MATA[4]
malware framework to perform an array of malicious activities on
infected machines. “The actor delivered a Trojanized version of an
application known to be used by their victim of choice,
representing a known characteristic of Lazarus,” the researchers
noted.

According to previous findings[5]
by Kaspersky, the MATA campaign is capable of striking Windows,
Linux, and macOS operating systems, with the attack infrastructure
enabling the adversary to carry out a multi-staged infection chain
that culminates in the loading of additional plugins, which allow
access to a wealth of information including files stored on the
device, extract sensitive database information as well as inject
arbitrary DLLs.

Beyond Lazarus, a Chinese-speaking APT threat actor, suspected
to be HoneyMyte, was found adopting the same tactic, wherein a
fingerprint scanner software installer package was modified to
install the PlugX[6]
backdoor on a distribution server belonging to a government agency
in an unnamed country in South Asia. Kaspersky referred to the
supply-chain incident as “SmudgeX.”

The development comes as cyber attacks[7]
aimed at the IT supply chain have emerged as a top concern in the
wake of the 2020 SolarWinds intrusion, highlighting the need to
adopt strict account security practices and take preventive
measures to protect enterprise environments.

References

  1. ^
    BLINDINGCAN
    (us-cert.cisa.gov)
  2. ^
    COPPERHEDGE
    (us-cert.cisa.gov)
  3. ^
    Q3 2021
    APT Trends report
    (securelist.com)
  4. ^
    MATA
    (thehackernews.com)
  5. ^
    previous
    findings
    (thehackernews.com)
  6. ^
    PlugX
    (thehackernews.com)
  7. ^
    cyber
    attacks
    (thehackernews.com)

Read more

Leave a Reply