Google thwarts two North Korean hacking groups targeting crypto firms

  • Google has announced the successful thwarting of two state-linked North Korean hacking groups that have been targeting crypto firms and tech job hunters.
  • The two exploited a bug on Google’s Chrome browser that was first discovered and patched earlier this year.

Two hacking groups that were targeting cryptocurrency firms and job hunters through a Google Chrome zero-day attack have been stopped by the search engine giant’s threat analysis team.

In a blog post, Google’s Threat Analysis Group’s (TAG) Adam Weidemann revealed that the two groups had been exploiting a remote code execution vulnerability in Chrome, CVE 2022-0609. The two groups’ activities have been tracked as Operan Dream Job and Operation AppleJeus. The earliest evidence that the Google TAG team gathered of these group’s activities using the Chrome vulnerabilities dates back to January 4 this year.

Weidemann noted:

We observed the campaigns targeting U.S. based organizations spanning news media, IT, cryptocurrency and fintech industries. However, other organizations and countries may have been targeted.

Google believes that the two hacker groups work for the same entity, which is why they shared the same exploit, although each operates with a different mission set and deploys different techniques. It further claimed that there are other North Korean government-backed attackers with access to the same exploit.

Google further linked the hacking groups to Lazarus, one of the world’s deadliest hacker groups based in North Korea. Lazarus has been behind some of the biggest cyberattacks in recent times, including the infamous Sony hack in 2014.

Calling themselves the ‘Guardians of Peace,’ the hackers infiltrated the film company, stole massive amounts of data, and leaked it to journalists. They then demanded that Sony halt the release of ‘The Interview,’ a movie about two Americans who assassinate Kim Jong Un, the supreme leader of North Korea.

Google says that among the targeted groups were 85 users in the crypto and fintech industries. They also targeted 250 people from 10 separate organizations in news media, software vendors, and domain registrars with fake job offers in emails that impersonated recruiters from some of the world’s biggest companies from Disney to Google.

The latest report further cements the widely held belief that North Korea’s government has been working with hackers to attack its foes and steal from them. It has especially taken a liking to crypto and it’s behind some of the biggest hacks in the crypto sector.

According to Chainalysis, Lazarus hackers stole about $400 million worth of crypto in 2021 alone through hacks, ransomware, and more.

Read More: North Korea made away with a record $400M of crypto in 2021: Report