A hacking group, suspected to be from North Korea, uses a Google Chrome extension to target victims in the academic sector. ZDNet reports, “In what appears to be a first on the cyber-espionage scene, a nation-state-backed hacking group has used a Google Chrome extension to infect victims and steal passwords and cookies from their browsers.”
The ZDNet report also points out that this is the first time that an APT (Advanced Persistent Threat), which is an industry term that’s used for referring to nation-state hacking groups, is seen exploiting a Google Chrome extension. This definitely is not the first such exploitation of a browser extension; a Mozilla Firefox add-on was exploited by a Russia-based APT in 2015.
The attack, as per reports, is executed as a spear-phishing campaign that has been pushing a malicious Google Chrome extension named Auto Font Manager since at least May 2018.
The ZDNet report details it further- “Hackers used spear-phishing emails to lure victims on websites copied from legitimate academic organizations. These phishing sites, now down, showed a benign PDF document but prevented users from viewing it, redirecting victims to the official Chrome Web Store page to install a (now removed) Chrome extension named Auto Font Manager.” A report from the ASERT team at NetScout reads, “ASERT has learned of an APT campaign, possibly originating from DPRK, we are calling STOLEN PENCIL that is targeting academic institutions since at least May 2018. The ultimate motivation behind the attacks is unclear, but the threat actors are adept at scavenging for credentials.”
The report further explains, “Targets are sent spear phishing e-mails that lead them to a web site displaying a lure document and are immediately
prompted to install a malicious Google Chrome extension. Once gaining a foothold, the threat actors use off-the-shelf tools to ensure persistence, including Remote Desktop Protocol (RDP) to maintain access.”
The researchers have revealed that the malicious extension can steal cookies and website passwords, but at the same time email forwarding has also been seen on some of the compromised accounts.
Though it has been stated that the attacks using the Google Chrome extension are targeted at the academic sector, the names of the victims haven’t yet been revealed. A non-profit institution from Asia and some universities from the U.S are reportedly in the list of institutions targeted.
The NetScout researchers say, in the report, “A large number of the victims, across multiple universities, had expertise in biomedical engineering, possibly suggesting a motivation for the attackers targeting.”
The researchers have found that the infrastructure used to host these phishing websites have been used earlier too, in another hacking campaign that involved breaking into the networks of universities via RDP connections.
The inferences are that the group behind the campaign are based in North Korea. The NetScout report says, “While we were able to gain insight into the threat actor’s TTPs (Tools, Techniques, & Procedures) behind STOLEN PENCIL, this is clearly just a small window into their activity. Their techniques are relatively basic, and much of their toolset consists of off-the-shelf programs and living off the land. This, along with the presence of the cryptojacker, is typical of DPRK tradecraft. Additionally, the operators’ poor OPSEC exposes their Korean language, in both viewed websites and keyboard selections.”
Though the NetScout team haven’t named any particular group, ZDNet researchers seem to have their own inferences. The ZDNet report states
that “…multiple industry sources to whom ZDNet showed the Chrome extension file hashes yesterday pointed us to a cyber-espionage group known as Kimsuky (also known as Velvet Chollima).”
“A 2013 Kaspersky Lab report presented evidence linking the group to North Korea’s regime. The same report also detailed Kimsuky’s propensity for going after academic targets, the same ones targeted with this most recent campaign,” the ZDNet report goes on to explain.
The main goal of the hackers, according to the NetScout ASERT team, is perhaps to gain access to compromised accounts and systems via stolen credentials and then to hold on to it. No evidence of data theft has been found.
The academic sector (especially the universities) has always been a favorite target for APTs looking for unreleased research, proprietary information etc. Chinese, Russian and Iranian hacking groups have been frequently targeting academic institutions.
