Google’s Threat Analysis Group recently discovered North Korean government-backed hackers who tried to exploit a zero-day vulnerability in Google Chrome, granting them access to people’s devices. The company has since then patched the security flaw.
In an official blog post, Adam Weidemann, Director of Engineering at Google, claimed that the flaw was being exploited since January 4th. The post described in detail how the bug was exploited for both intelligence and financial attacks over weeks.
The two groups were codenamed Operation Dream Job and Operation AppleJeus, and targeted “U.S. based organizations spanning news media, IT, cryptocurrency and fintech industries.”
The groups exploited a use-after-free bug in Chrome known as CVE-2022-0609. The vulnerability lets attackers place malicious code inside vulnerable memory locations allowing remote code execution.
The company has since then released a security patch with the Chrome update version 98.0.4758.102. However, Weidemann claims that the groups spent weeks between 4th January and 14th February pulling off several covert attacks carried out in different phases, allowing them to hide their tracks.
Weidemann wrote that the groups were “careful to protect their exploits … [they] deployed multiple safeguards to make it difficult for security teams to recover any of the stages.”
The groups are suspected to have been created by the authoritarian regime to carry out operations that would help boost North Korea’s government resources.
We suspect that these groups work for the same entity with a shared supply chain, hence the use of the same exploit kit, but each operates with a different mission set and deploys different techniques. It is possible that other North Korean government-backed attackers have access to the same exploit kit.
Google claims that it was not the only company targeted in the attacks, stating:
Although we recovered a Chrome RCE, we also found evidence where the attackers specifically checked for visitors using Safari on macOS or Firefox (on any OS) and directed them to specific links on known exploitation servers.
Weidemann also highlighted that the privacy and security of users are of utmost importance to Google. He wrote:
As part of our efforts to combat serious threat actors, we use the results of our research to improve the safety and security of our products … We encourage any potential targets to enable Enhanced Safe Browsing for Chrome and ensure that all devices are updated.