North Korean Hacker Group Embeds Malware in Developer Tools

image provided by pixabay

This post is also available in: עברית (Hebrew)

North Korea’s notorious Lazarus Group, known for high-profile cryptocurrency thefts, has evolved its cyberattack strategy to target software supply chains. Security experts have uncovered a new operation, “Phantom Circuit,” where the hacking group embeds malware into trusted developer tools, allowing them to steal sensitive data without detection.

The Lazarus Group has a well-established track record, including the theft of over $600 million in cryptocurrency in 2023 alone. However, their latest approach represents a shift to long-term cyber espionage. According to researchers at SecurityScorecard, the operation, which began in January, has already affected 233 victims, with 100 of them located in India. The primary targets appear to be cryptocurrency developers, tech companies, and individuals involved in open-source projects.

The group’s method involves infiltrating open-source software repositories, where they clone legitimate projects and insert malware into the code. Developers unknowingly install the compromised software, trusting it as they would any other open-source package. This method allows Lazarus to quietly collect valuable data such as credentials, authentication tokens, and passwords, which are likely being used to further North Korea’s geopolitical interests.

SecurityScorecard’s STRIKE team discovered that Lazarus utilizes platforms like GitLab, a popular tool among developers, to distribute the backdoored software. Once the malware is active, the stolen data is uploaded to Dropbox, where it remains hidden from view. Lazarus also routes its traffic through a VPN and Russian proxies to obscure its true location, making it appear as though the attacks are coming from Russia.

This new phase in Lazarus’s cyber operations highlights the growing sophistication of cybercriminals to more covert, persistent strategies aimed at long-term intelligence gathering. Experts stress the importance of strengthening security measures by implementing rigorous code verification processes and closely monitor network traffic to defend against these increasingly stealthy threats. Enhanced security measures are vital to safeguard sensitive data from groups like Lazarus.