North Korean Lazarus hackers launch large-scale cyberattack by cloning open source software

A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.

(Image credit: Getty Images)

Lazarus was seen poisoning open source software with infostealers
The campaign is dubbed Phantom Circuit, and targets mostly European software devs
Multiple repositories were found poisoned with malware

The notorious North Korean hackers Lazarus have been targeting software developers, particularly those in the Web3 industry, with infostealing malware, grabbing their credentials, authentication tokens, and other valuable data, experts have warned.

Cybersecurity researchers SecurityScorecard released a report detailing the campaign, which included a software supply-chain attack and open-source poisoning.

Lazarus Group, an infamous hacking collective on North Korea’s payroll, was spotted grabbing different open source tools, poisoning them with malicious code, and then returning them to code repositories and platforms such as Gitlab.

Targeting Web3 devs

Developers would then pick up these tools by mistake, and would unknowingly get infected with malware.

The researchers named the operation Phantom Circuit, and apparently ended up compromising more than 1,500 victims. Most of them are based in Europe, with notable additions from India and Brazil.

The modified repositories apparently included Codementor, CoinProperty, Web3 E-Store, a Python-based password manager, and “other cryptocurrency-related apps, authentication packages, and web3 technologies”, citing Ryan Sherstobitoff, senior VP of research and threat intelligence at SecurityScorecard.

The researchers did not say if Lazarus used any known infostealer in this campaign, or created new code from scratch. The group is known for using a wide variety of tools in their attacks.

Lazarus often targets cryptocurrency companies. Some researchers are saying the country is engaging in crypto theft to fund its state apparatus, as well as its weapons program. The group is famous for its fake job campaign, called Operation DreamJob, in which it targets Web3 software developers with fake, lucrative job offers.

During the interview stages, the attackers would trick the candidate into downloading and running infostealers, grabbing their tokens, and those of their employers. In one such instance, Lazarus managed to steal roughly $600 million.

FBI confirms North Korean Lazarus Group was behind major Harmony crypto heist
Here's a list of the best firewalls around today
These are the best endpoint security tools right now

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.