Microsoft has identified a formerly unidentified hacking organization operating out of North Korea as the source of a cyberattack on users of the software development site GitHub.
A notice on “a low-volume social engineering operation” that targets the private profiles of staff members of technology companies was released this week by Alexis Wales of GitHub. The hackers employed “a blend of unauthorized npm package dependencies and repository invitations.”
“Many of these affected accounts have ties to the bitcoin, blockchain, or online gambling industries. A number of the targets were also connected to the cybersecurity industry, according to Wales, who also noted that no GitHub or npm systems were breached during the attack.
The attacks were ascribed by GitHub to a group identified as TraderTraitor by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and known as “Jade Sleet” at Microsoft (GitHub’s owner).
Microsoft refers to North Korean hackers as Sleet, while Jade is a hitherto unutilized identification.
A Microsoft representative told Recorded Future News that the business “has not openly addressed this threat actor before.”
Jade Sleet “targets mostly individuals connected to cryptocurrency and other blockchain-related companies, but also attack vendors utilized by those firms,” according to the GitHub notice.
According to GitHub, Jade Sleet’s impersonation of a developer or recruiter on GitHub and other social media sites, including LinkedIn, Slack, and Telegram, was the first step in the attack chain.
In other attacks, reputable accounts that had been hijacked by hackers were engaged. The organization frequently initiates reaching out on a single platform before presenting an alternative.
“The threat actor contacts a target, encourages them to work on a GitHub project, and then persuades them to copy and run the contents of the repository. GitHub repositories can be either public or private,” according to Wales.
The software in the GitHub repository uses harmful npm dependencies. The threat actor has been known to employ players for media and cryptocurrency trading platforms, among other software themes. On the victim’s computer, the malicious npm packages work as initial-stage ransomware that downloads and runs second-stage malware.
In an attempt to limit user awareness of harmful tools, GitHub observed that hackers typically only upload their harmful packages when they offer a forgery repository request.
Their conclusions were mostly supported by research conducted in June by cybersecurity professionals at Phylum Security.
In addition to releasing attack indicators and submitting reports of abuse with the domain hosts utilized by the attackers, GitHub stated it is deactivating the npm and GitHub accounts linked to the campaign.
Users were advised to check if the group had contacted them and to generally be suspicious of any contact made over social media platforms by the platform.
In scores of cyberattacks on cryptocurrency companies, North Korean hackers have specifically targeted exchanges that trade cryptocurrency, commercial banks, and e-commerce platforms, stealing cryptocurrency valued at billions of dollars.
North Korea stole almost $700 million worth of cryptocurrencies last year, according to South Korea’s state spy service, which is sufficient funds to allow the regime to “fire 30 intercontinental ballistic projectiles.”
These ads are primarily intended to support the North Korean government’s “continued attempts to raise money for the system, which continues under significant international sanctions,” according to a study released last month by Recorded Future’s Insikt Group.
Several US intelligence agencies have noted North Korean cyber attackers specifically targeting a “variety of companies in the blockchain platform and cryptocurrency industry,” according to a CISA advisory from last year that singled out the TraderTraitor group.
According to CISA, in April 2022, “intrusions start with a large volume of spearphishing communications sent to staff members of cryptocurrency businesses — often employed in system administration or software development/ IT operations (DevOps) — on an array of different communication platforms.”
The United States government refers to these texts as “TraderTraitor” because they frequently resemble recruitment efforts and offer lucrative positions to get recipients to download Bitcoin applications laden with malware.
On Thursday, North Korean hackers were charged with orchestrating the hack of software provider JumpCloud. The assault was a component of a supply-chain hack that was intended to target cryptocurrency businesses.
About The Author:
Yogesh Naager is a content marketer that specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM. Naager entered the field of content in an unusual way. He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts. He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field. In the bottom line, he frequently writes for Craw Security.
Kindly read other news articles: