#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News
State of SaaS

North Korea | Breaking Cybersecurity News | The Hacker News

Category — North Korea
U.S. Sanctions North Korean IT Worker Network Supporting WMD Programs

U.S. Sanctions North Korean IT Worker Network Supporting WMD Programs

Jan 17, 2025 Insider Threat / Cryptocurrency
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned two individuals and four entities for their alleged involvement in illicit revenue generation schemes for the Democratic People's Republic of Korea (DPRK) by dispatching IT workers around the world to obtain employment and draw a steady source of income for the regime in violation of international sanctions. "These IT workers obfuscate their identities and locations to fraudulently obtain freelance employment contracts from clients around the world for IT projects, such as software and mobile application development," the Treasury Department said . "The DPRK government withholds up to 90% of the wages earned by these overseas workers, thereby generating annual revenues of hundreds of millions of dollars for the Kim regime's weapons programs to include weapons of mass destruction (WMD) and ballistic missile programs." The action represents the latest salvo in the U.S. g...
North Korean IT Worker Fraud Linked to 2016 Crowdfunding Scam and Fake Domains

North Korean IT Worker Fraud Linked to 2016 Crowdfunding Scam and Fake Domains

Jan 15, 2025 Blockchain / Cryptocurrency
Cybersecurity researchers have identified infrastructure links between the North Korean threat actors behind the fraudulent IT worker schemes and a 2016 crowdfunding scam. The new evidence suggests that Pyongyang-based threamoret groups may have pulled off illicit money-making scams that predate the use of IT workers, SecureWorks Counter Threat Unit (CTU) said in a report shared with The Hacker News. The IT worker fraud scheme , which came to light in late 2023, involves North Korean actors infiltrating companies in the West and other parts of the world by surreptitiously seeking employment under fake identities to generate revenue for the sanctions-hit nation. It's also tracked under the names Famous Chollima, Nickel Tapestry, UNC5267, and Wagemole. The IT personnel, per South Korea's Ministry of Foreign Affairs (MoFA), have been assessed to be part of the 313th General Bureau, an organization under the Munitions Industry Department of the Workers' Party of Korea. ...
The $10 Cyber Threat Responsible for the Biggest Breaches of 2024

The $10 Cyber Threat Responsible for the Biggest Breaches of 2024

Jan 16, 2025Identity Protection / SaaS Security
You can tell the story of the current state of stolen credential-based attacks in three numbers: Stolen credentials were the #1 attacker action in 2023/24, and the breach vector for 80% of web app attacks . (Source: Verizon). Cybersecurity budgets grew again in 2024, with organizations now spending almost $1,100 per user (Source: Forrester).  Stolen credentials on criminal forums cost as little as $10 (Source: Verizon). Something doesn't add up. So, what's going on? In this article, we'll cover: What's contributing to the huge rise in account compromises linked to stolen creds and why existing approaches aren't working.  The world of murky intelligence on stolen credentials, and how to cut through the noise to find the true positives. Recommendations for security teams to stop attackers from using stolen creds to achieve account takeover. Stolen credential-based attacks are on the rise There's clear evidence that identity attacks are now the #1 cyber threat f...
North Korean Hackers Deploy OtterCookie Malware in Contagious Interview Campaign

North Korean Hackers Deploy OtterCookie Malware in Contagious Interview Campaign

Dec 27, 2024 Cryptocurrency / Cyber Espionage
North Korean threat actors behind the ongoing Contagious Interview campaign have been observed dropping a new JavaScript malware called OtterCookie . Contagious Interview (aka DeceptiveDevelopment ) refers to a persistent attack campaign that employs social engineering lures, with the hacking crew often posing as recruiters to trick individuals looking for potential job opportunities into downloading malware under the guise of an interview process. This involves distributing malware-laced videoconferencing apps or npm packages either hosted on GitHub or the official package registry, paving the way for the deployment of malware such as BeaverTail and InvisibleFerret. Palo Alto Networks Unit 42, which first exposed the activity in November 2023, is tracking the cluster under the moniker CL-STA-0240. It's also referred to as Famous Chollima and Tenacious Pungsan. In September 2024, Singaporean cybersecurity company Group-IB documented the first major revision to the attack c...
cyber security

2024: A year of identity attacks | Get the new ebook

websitePush SecurityIdentity Security
Identity attacks were the leading cause of breaches in 2024. Learn how tooling and techniques are evolving.
North Korean Hackers Pull Off $308M Bitcoin Heist from Crypto Firm DMM Bitcoin

North Korean Hackers Pull Off $308M Bitcoin Heist from Crypto Firm DMM Bitcoin

Dec 24, 2024 Cybercrime / Malware
Japanese and U.S. authorities have formerly attributed the theft of cryptocurrency worth $308 million from cryptocurrency company DMM Bitcoin in May 2024 to North Korean cyber actors. "The theft is affiliated with TraderTraitor threat activity, which is also tracked as Jade Sleet, UNC4899, and Slow Pisces," the agencies said . "TraderTraitor activity is often characterized by targeted social engineering directed at multiple employees of the same company simultaneously." The alert comes courtesy of the U.S. Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center, and the National Police Agency of Japan. It's worth noting that DMM Bitcoin shut down its operations earlier this month in the aftermath of the hack. TraderTraitor refers to a North Korea-linked persistent threat activity cluster that has a history of targeting companies in the Web3 sector, luring victims into downloading malware-laced cryptocurrency apps and ultimately ...
Lazarus Group Spotted Targeting Nuclear Engineers with CookiePlus Malware

Lazarus Group Spotted Targeting Nuclear Engineers with CookiePlus Malware

Dec 20, 2024 Cyber Espionage / Malware
The Lazarus Group, an infamous threat actor linked to the Democratic People's Republic of Korea (DPRK), has been observed leveraging a "complex infection chain" targeting at least two employees belonging to an unnamed nuclear-related organization within the span of one month in January 2024. The attacks, which culminated in the deployment of a new modular backdoor referred to as CookiePlus , are part of a long-running cyber espionage campaign known as Operation Dream Job, which is also tracked as NukeSped by cybersecurity company Kaspersky. It's known to be active since at least 2020, when it was exposed by ClearSky. These activities often involve targeting developers and employees in various companies, including defense, aerospace, cryptocurrency, and other global sectors, with lucrative job opportunities that ultimately lead to the deployment of malware on their machines. "Lazarus is interested in carrying out supply chain attacks as part of the DeathNote...
North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks

North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks

Dec 03, 2024 Threat Intelligence / Email Security
The North Korea-aligned threat actor known as Kimsuky has been linked to a series of phishing attacks that involve sending email messages that originate from Russian sender addresses to ultimately conduct credential theft. "Phishing emails were sent mainly through email services in Japan and Korea until early September," South Korean cybersecurity company Genians said . "Then, from mid-September, some phishing emails disguised as if they were sent from Russia were observed." This entails the abuse of VK's Mail.ru email service, which supports five different alias domains, including mail.ru, internet.ru, bk.ru, inbox.ru, and list.ru. Genians said it has observed the Kimsuky actors leveraging all the aforementioned sender domains for phishing campaigns that masquerade as financial institutions and internet portals like Naver. Other phishing attacks have entailed sending messages that mimic Naver's MYBOX cloud storage service and aim to trick users into ...
North Korean Hackers Steal $10M with AI-Driven Scams and Malware on LinkedIn

North Korean Hackers Steal $10M with AI-Driven Scams and Malware on LinkedIn

Nov 23, 2024 Artificial Intelligence / Cryptocurrency
The North Korea-linked threat actor known as Sapphire Sleet is estimated to have stolen more than $10 million worth of cryptocurrency as part of social engineering campaigns orchestrated over a six-month period. These findings come from Microsoft, which said that multiple threat activity clusters with ties to the country have been observed creating fake profiles on LinkedIn, posing as both recruiters and job seekers to generate illicit revenue for the sanction-hit nation. Sapphire Sleet, which is known to be active since at least 2020, overlaps with hacking groups tracked as APT38 and BlueNoroff. In November 2023, the tech giant revealed that the threat actor had established infrastructure that impersonated skills assessment portals to carry out its social engineering campaigns. One of the main methods adopted by the group for over a year is to pose as a venture capitalist, deceptively claiming an interest in a target user's company in order to set up an online meeting. Targ...
North Korean Front Companies Impersonate U.S. IT Firms to Fund Missile Programs

North Korean Front Companies Impersonate U.S. IT Firms to Fund Missile Programs

Nov 21, 2024 Malware / Cyber Fraud
Threat actors with ties to the Democratic People's Republic of Korea (DPRK) are impersonating U.S.-based software and technology consulting businesses in order to further their financial objectives as part of a broader information technology (IT) worker scheme. "Front companies, often based in China, Russia, Southeast Asia, and Africa, play a key role in masking the workers' true origins and managing payments," SentinelOne security researchers Tom Hegel and Dakota Cary said in a report shared with The Hacker News. North Korea's network of IT workers, both in an individual capacity and under the cover of front companies, is seen as a technique to evade international sanctions imposed on the country and generate illicit revenues. The global campaign, which is also tracked as Wagemole by Palo Alto Networks Unit 42, entails using forged identities to obtain employment at various companies in the U.S. and elsewhere, and send back a huge portion of their wages bac...
New RustyAttr Malware Targets macOS Through Extended Attribute Abuse

New RustyAttr Malware Targets macOS Through Extended Attribute Abuse

Nov 14, 2024 Cryptojacking / Threat Intelligence
Threat actors have been found leveraging a new technique that abuses extended attributes for macOS files to smuggle a new malware called RustyAttr . The Singaporean cybersecurity company has attributed the novel activity with moderate confidence to the infamous North Korea-linked Lazarus Group, citing infrastructure and tactical overlaps observed in connection with prior campaigns, including RustBucket .  Extended attributes refer to additional metadata associated with files and directories that can be extracted using a dedicated command called xattr . They are often used to store information that goes beyond the standard attributes, such as file size, timestamps, and permissions. The malicious applications discovered by Group-IB are built using Tauri , a cross-platform desktop application framework, and signed with a leaked certificate that has since been revoked by Apple. They include an extended attribute that's configured to fetch and run a shell script. The execution of...
North Korean Hackers Target macOS Using Flutter-Embedded Malware

North Korean Hackers Target macOS Using Flutter-Embedded Malware

Nov 12, 2024 Malware / Application Security
Threat actors with ties to the Democratic People's Republic of Korea (DPRK aka North Korea) have been found embedding malware within Flutter applications, marking the first time this tactic has been adopted by the adversary to infect Apple macOS devices. Jamf Threat Labs, which made the discovery based on artifacts uploaded to the VirusTotal platform earlier this month, said the Flutter-built applications are part of a broader activity that includes malware written in Golang and Python. It's currently not known how these samples are distributed to victims, and if it has been used against any targets, or if the attackers are switching to a new delivery method. That said, North Korean threat actors are known to engage in extensive social engineering efforts targeting employees of cryptocurrency and decentralized finance businesses. "We suspect these specific examples are testing," Jaron Bradley, director at Jamf Threat Labs, told The Hacker News. "It's p...
North Korean Hackers Target Crypto Firms with Hidden Risk Malware on macOS

North Korean Hackers Target Crypto Firms with Hidden Risk Malware on macOS

Nov 07, 2024 Cryptocurrency / Malware
A threat actor with ties to the Democratic People's Republic of Korea (DPRK) has been observed targeting cryptocurrency-related businesses with a multi-stage malware capable of infecting Apple macOS devices . Cybersecurity company SentinelOne, which dubbed the campaign Hidden Risk , attributed it with high confidence to BlueNoroff, which has been previously linked to malware families such as RustBucket , KANDYKORN , ObjCShellz , RustDoor (aka Thiefbucket ), and TodoSwift . The activity "uses emails propagating fake news about cryptocurrency trends to infect targets via a malicious application disguised as a PDF file," researchers Raffaele Sabato, Phil Stokes, and Tom Hegel said in a report shared with The Hacker News. "The campaign likely began as early as July 2024 and uses email and PDF lures with fake news headlines or stories about crypto-related topics." As revealed by the U.S. Federal Bureau of Investigation (FBI) in a September 2024 advisory, the...
BeaverTail Malware Resurfaces in Malicious npm Packages Targeting Developers

BeaverTail Malware Resurfaces in Malicious npm Packages Targeting Developers

Oct 28, 2024 Malware / Threat Intelligence
Three malicious packages published to the npm registry in September 2024 have been found to contain a known malware called BeaverTail, a JavaScript downloader and information stealer linked to an ongoing North Korean campaign tracked as Contagious Interview. The Datadog Security Research team is monitoring the activity under the name Tenacious Pungsan , which is also known by the monikers CL-STA-0240 and Famous Chollima. The names of the malicious packages, which are no longer available for download from the package registry, are listed below - passports-js, a backdoored copy of the passport (118 downloads) bcrypts-js, a backdoored copy of bcryptjs (81 downloads) blockscan-api, a backdoored copy of etherscan-api (124 downloads) Contagious Interview refers to a yearlong-campaign undertaken by the Democratic People's Republic of Korea (DPRK) that involves tricking developers into downloading malicious packages or seemingly innocuous video conferencing applications as part...
North Korean IT Workers in Western Firms Now Demanding Ransom for Stolen Data

North Korean IT Workers in Western Firms Now Demanding Ransom for Stolen Data

Oct 20, 2024 Insider Threat / Cyber Espionage
North Korean information technology (IT) workers who obtain employment under false identities in Western companies are not only stealing intellectual property, but are also stepping up by demanding ransoms in order to not leak it, marking a new twist to their financially motivated attacks. "In some instances, fraudulent workers demanded ransom payments from their former employers after gaining insider access, a tactic not observed in earlier schemes," Secureworks Counter Threat Unit (CTU) said in an analysis published this week. "In one case, a contractor exfiltrated proprietary data almost immediately after starting employment in mid-2024." The activity, the cybersecurity company added, shares similarities with a threat group it tracks as Nickel Tapestry, which is also known as Famous Chollima and UNC5267 . The fraudulent IT worker scheme, orchestrated with the intent to advance North Korea's strategic and financial interests, refers to an insider threat...
N. Korean Hackers Use Fake Interviews to Infect Developers with Cross-Platform Malware

N. Korean Hackers Use Fake Interviews to Infect Developers with Cross-Platform Malware

Oct 09, 2024 Phishing Attack / Malware
Threat actors with ties to North Korea have been observed targeting job seekers in the tech industry to deliver updated versions of known malware families tracked as BeaverTail and InvisibleFerret. The activity cluster, tracked as CL-STA-0240, is part of a campaign dubbed Contagious Interview that Palo Alto Networks Unit 42 first disclosed in November 2023. "The threat actor behind CL-STA-0240 contacts software developers through job search platforms by posing as a prospective employer," Unit 42 said in a new report. "The attackers invite the victim to participate in an online interview, where the threat actor attempts to convince the victim to download and install malware." The first stage of infection involves the BeaverTail downloader and information stealer that's designed for targeting both Windows and Apple macOS platforms. The malware acts as a conduit for the Python-based InvisibleFerret backdoor. There is evidence to suggest that the activity ...
Andariel Hacking Group Shifts Focus to Financial Attacks on U.S. Organizations

Andariel Hacking Group Shifts Focus to Financial Attacks on U.S. Organizations

Oct 02, 2024 Cyber Threat / Malware
Three different organizations in the U.S. were targeted in August 2024 by a North Korean state-sponsored threat actor called Andariel as part of a likely financially motivated attack. "While the attackers didn't succeed in deploying ransomware on the networks of any of the organizations affected, it is likely that the attacks were financially motivated," Symantec, part of Broadcom, said in a report shared with The Hacker News. Andariel is a threat actor that's assessed to be a sub-cluster within the infamous Lazarus Group. It's also tracked as APT45, DarkSeoul, Nickel Hyatt, Onyx Sleet (formerly Plutonium), Operation Troy, Silent Chollima, and Stonefly. It's been active since at least 2009. An element within North Korea's Reconnaissance General Bureau (RGB), the hacking crew has a track record of deploying ransomware strains such as SHATTEREDGLASS and Maui , while also developing an arsenal of custom backdoors like Dtrack (aka Valefor and Preft), ...
Expert Insights / Articles Videos
Cybersecurity Resources