A significant cybersecurity threat involving North Korean hackers exploiting LinkedIn as an entry point to infiltrate organizations.
This attack has been particularly evident in Japan, where there has been a significant rise in instances of unauthorized access, resulting in significant financial losses.
Recently, the Federal Bureau of Investigation (FBI), Department of Defense Cyber Crime Center (DC3), and National Police Agency of Japan (NPA) have issued an alert to the public regarding the theft of cryptocurrency worth $308 million USD from the Japan-based cryptocurrency company DMM by North Korean cyber attackers in May 2024.
The theft was associated with TraderTraitor threat activity, also known as Jade Sleet, UNC4899, and Slow Pisces.
The Lazarus Group And LinkedIn Exploits
The attacks are primarily attributed to the Lazarus Group, a notorious hacking collective linked to North Korea. Since around 2019, JPCERT/CC has documented numerous incidents where LinkedIn was utilized as an infection vector.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
According to JPCERT, the nature of these attacks suggests that using LinkedIn for business purposes can be dangerous, prompting organizations to reconsider their policies regarding social networking services (SNS) on work devices.
Several Lazarus Group activities, such as Operation Dream Job, which targets defense industry companies worldwide.
Attackers hijack legitimate LinkedIn accounts from HR representatives at defense contractors and reach out to employees with recruitment offers.
They often shift communication from LinkedIn to platforms like Skype or WhatsApp, eventually persuading targets to download malicious documents disguised as job-related materials.
Operation Dangerous Password campaign has been active since 2019 and focuses on cryptocurrency exchanges. Attackers contact employees via LinkedIn, urging them to download ZIP files containing malicious executables.
Notably, the name of the malicious LNK file within these ZIPs has remained consistent over the years (e.g., Password.txt.lnk), although methods have evolved to target different operating systems and file types.
The Operation AppleJeus targets cryptocurrency users by leveraging social engineering tactics.
Attackers initiate contact through LinkedIn and direct victims to Telegram, where they share links to malicious MSI files masquerading as cryptocurrency exchange tools.
The rise of cyber threats originating from North Korea underscores the necessity for organizations to reassess their social media policies and cybersecurity protocols.
As demonstrated through various operations by the Lazarus Group, attackers are increasingly sophisticated in their methods, utilizing platforms like LinkedIn for nefarious purposes.
Hence, it is crucial for businesses to remain aware of the risks associated with social networking platforms and take proactive steps to protect their digital assets.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar