Security researchers of the Google Threat Analysis Group he discovered a new one hacker attack led by a group believed to be funded directly by the government of the North Korea – or rather: two separate attacks conducted by exploiting a single 0-day vulnerability in the Chrome web browser. The events took place between January and February 2022, and the browser flaw was closed for some time, but the attacks managed to compromise some computers of companies in the fintech sector and some media – the exact names were not disclosed.
- Operation Dream Job focused on media, registrars, software developers and web hosting platforms. In total, more than 250 employees, spread across 10 companies, were sent super attractive fake job advertisements. The emails were structured to look like they came from recruiting platforms like Indeed.com or ZipRecruiter, and the offers (fake, of course) were on behalf of highly rated companies, such as Disney, Google and Oracle. Naturally, the “check offer” button redirected to a fraudulent site, which through a hidden iframe took control of the system.
- Operation AppleJeus it turned instead to companies operating in the fintech and crypto sectors, and apparently affected fewer people – 85 in all. The modus operandi was the same. It emerged that two legitimate sites were also compromised in the spread of the attack, and that there are traces that suggest the possible involvement of at least two other browsers, Safari and Firefox.
It is important to keep in mind that both operations have been around for several years already, and cyclically reappear exploiting the latest vulnerabilities they manage to find. It is not clear what and how much data the North Korean hackers managed to steal: apparently they were very good at covering their tracks. Although the flaw was closed, it remained open for a significant amount of time: the first attack was on January 4th, corrective patches were released only on February 14th.