North Korean APT’s Stealth Attack on Open-Source Ecosystems

Security researchers at Phylum have been tracking a sophisticated cyber campaign involving a series of npm packages since November. These packages, upon installation, execute a complex chain of actions – downloading remote files, decrypting them, executing exported functions, and then meticulously covering their tracks by deleting and renaming files. The aftermath leaves the package directory in a seemingly benign state, masking the nefarious activities that transpired.

Further investigation revealed that nearly two dozen additional packages belong to this still-active campaign. QiAnXin Threat Intelligence Center‘s detailed analysis linked the binary involved in this operation to a North Korean APT, likely Lazarus. The campaign, with its crypto-themed package names, aims to gain persistent access to systems of developers who install these packages and, subsequently, to infiltrate the broader organizations they belong to – especially within the cryptocurrency sector.

North Korean APT

The ultimate objective of this campaign appears twofold: pilfer substantial cryptocurrency assets and circumvent the heavy international sanctions imposed on North Korea. Recorded Future reports that since 2017, North Korean APT has stolen an estimated $3 billion in cryptocurrency, highlighting the critical role these thefts play in sustaining the country’s economy and military budget.

Recent Lazarus activity indicates a strategic shift from decentralized to centralized services in the crypto space. This change reflects the increased security among DeFi platforms and the inherent challenges in breaching decentralized services. Centralized platforms, with their larger workforces and IT systems, present more lucrative targets for cyber theft.

A common methodology used by these APTs is social engineering, often involving deceptive tactics like fake job interviews. The attacker gets the victim to install software containing a malicious dependency hosted on open-source platforms like npm, PyPI, Maven, etc. This strategy has been so effective that the United Nations has sought insights from Phylum on North Korea’s use of open-source ecosystems for these crypto-targeted attacks.

This ongoing activity by North Korea underscores the vulnerability of the open-source ecosystem and highlights how threat actors exploit the inherent trust developers place in these platforms. The combination of infecting a single developer and pivoting deeper into the organization, coupled with sophisticated social engineering, has proven alarmingly effective. It’s a stark reminder of the constant need for vigilance and proactive measures in the ever-evolving cyber landscape.