While North Korean hackers are known for stealing money to finance Kim Jong Un’s authoritarian regime, Pyongyang may also be engaging in a cyber-espionage campaign targeting universities, new research shows.
The hacking operation, which began in May, if not earlier, uses malicious Google Chrome extensions to gain a foothold into a victim’s computer, according to ASERT, the threat intelligence group of Netscout’s Arbor Networks.
Once the hackers compromised a target network, they used “off-the-shelf tools,” like remote desktop protocol, to retain access to the network, according to ASERT. The goal of the operation, dubbed “Stolen Pencil,” appears to be maintaining persistent access; researchers found no evidence of data theft.
“A large number of the victims, across multiple universities, had expertise in biomedical engineering, possibly suggesting a motivation for the attackers’ targeting,” states the research, which was published Wednesday. The malicious extensions have been removed from the Google Play Store, ASERT says.
Although ASERT did not definitively tie the hackers to North Korea, clues point to the Hermit Kingdom. Use of off-the-shelf tools and a cryptojacker are typical of the North Koreans, and the hackers’ poor operational security showed that Korean was their language of choice in websites they viewed and in their keyboard usage, researchers said.
ASERT did not specify the location of the universities being targeted. However, one Twitter user documented a spearphishing attempt in the campaign sent from a compromised or mock Dartmouth College email address that included the words “nuclear deterrence” as a lure.
Spearphishing attempt coming from a impersonation or compromised email from Dartmouth College. The email had Nuclear Deterrence as a lure and suggestedto click a link which takes them to a pdf with a chrome extension add on that acts as a keylogger. Possible CN or DPRK #APT pic.twitter.com/v76d3P3Wnz
— Mr. J0hn D0ugh (@MD0ugh) September 13, 2018
The spearphishing email was sent to a person who specializes in Korean affairs at a think tank, a source familiar with the matter told CyberScoop.
This is not the first apparent North Korean cyber-espionage operation aimed at research communities. In September 2013, Kaspersky Lab documented a suspected North Korean campaign against South Korean think tanks.
The Chrome extension hashes found in the new campaign exposed by ASERT tie the activity to the cyber-espionage group identified by Kaspersky in 2013, ZDNet reported.
It’s not only money they’re after
A trademark of North Korea’s computer operatives is their aggressive targeting of financial institutions around the world. In October, cybersecurity company FireEye revealed a Pyongyang-linked group that had tried to steal $1.1 billion. But it’s not just banks that are in the crosshairs. The United States has attributed the 2014 cyberattack on Sony Pictures Entertainment and the 2017 WannaCry ransomware outbreak to North Korea. And there is more evidence, aside from the ASERT research, that North Korea-linked hackers are expanding their target base to other industries.
Dmitri Alperovitch, CTO and co-founder of cybersecurity company CrowdStrike, said his company has recently observed an uptick in targeting from North Korean hackers, “including an attempted intrusion into a manufacturing company that may signal an expansion into economic espionage.”
In tracking North Korean hacking groups for a decade, CrowdStrike has seen “continued growth in the sophistication of their tradecraft,” Alperovitch told CyberScoop.
As Pyongyang expands its hacking targets, the United States has struggled to find ways to deter North Korea in cyberspace. In October, the FBI quietly told American companies that North Korean government hackers will keep targeting financial institutions worldwide despite the U.S. government’s attribution of such activity to Pyongyang.