North Korean cyber operators have been observed targeting source code repositories as part of their broad range of activities supporting state interests. These activities include espionage, theft, and fraud aimed at addressing North Korea’s ongoing financial challenges.
The initial points of access for these attacks involve impersonation and social engineering tactics. GitHub, a popular platform for hosting code repositories, recently discovered a low-volume social engineering campaign aimed at employees of technology firms. This campaign utilizes fake repository invitations and malicious npm package dependencies. GitHub has determined with high confidence that this campaign is associated with a group known as Jade Sleet, as named by Microsoft Threat Intelligence, and TraderTraitor, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Jade Sleet primarily targets individuals connected to cryptocurrency and blockchain-related organizations, as well as their vendors. The threat actors impersonate developers or recruiters, using phony or compromised accounts on platforms such as GitHub, LinkedIn, Slack, and Telegram. After gaining the victim’s trust, the threat actors convince them to collaborate on a GitHub repository. Once the victim clones and executes the repository, they unknowingly introduce malicious npm dependencies. It is worth noting that GitHub and npm systems themselves were not compromised in this campaign.
Code repositories have become attractive targets for cyberattacks due to the increasing adoption of cloud technologies. As organizations move their operations to the cloud, they also develop custom applications, making platforms like GitHub a lucrative focus for attackers. Ken Westin, Field CISO at Panther Labs, highlights this trend, noting that by compromising a source code repository, attackers can potentially breach multiple organizations.
Aside from financial motives, the theft of intellectual property is another factor driving criminal interest in code repositories. Erich Kron, a security awareness advocate at KnowBe4, explains that the potential rewards and availability of substantial sums of money contribute to the attraction of cybercrime and social engineering for groups like the one associated with Jade Sleet. Surprisingly, even with the advanced tools these groups possess, initial attacks often start with simple email phishing or other forms of social engineering. Kron emphasizes the importance of caution when downloading and installing applications from GitHub, reputable app stores, or websites. This caution is particularly crucial for those working in financial or cryptocurrency fields or handling sensitive and valuable information.
In conclusion, North Korean cyber operators are expanding their activities beyond conventional espionage to include the targeting of source code repositories. Impersonation and social engineering tactics are used as initial points of access, with attackers posing as developers or recruiters on platforms like GitHub, LinkedIn, Slack, and Telegram. Code repositories are attractive targets due to the growing use of cloud-based technologies and the potential for compromising multiple organizations through the injection of malicious code. The lure of financial gains and the theft of intellectual property further motivate these cybercriminal activities. As a result, individuals and organizations are advised to exercise caution when engaging with repositories and applications, particularly in fields related to cryptocurrencies and sensitive information handling.