Worldwide universities attacked by North Korean hackers

Academic organizations around the world have been attacked since last May

Digital forensics specialists from the International Institute of Cyber Security report that hacker groups linked to North Korea have deployed a spear phishing campaign against multiple academic institutions around the world. The attack campaign includes emails with an attached document, trying to trick the victims into installing a malicious Chrome extension. This campaign has been identified as Stolen Pencil, and among its victims are universities with specialties in biometric engineering.

The attackers assure the persistence of the campaign through the use of standard tools, but according to reports of specialists in digital forensics, their operational security is deficient, since it has been concluded that the attackers use Korean keyboards, open browsers and English-Korean translator.

According to the analysis published by the experts it is still not possible to determine what is the main objective of this campaign, although they add that this group of malicious actors is specialist in access credential theft. “Potential victims receive a phishing email that redirects them to a website; subsequently, the attacker will try to get the victim to download a malicious Chrome extension,” the experts mentioned.

“Once the attack is completed, malicious actors try to gain persistence in the victim’s system using tools such as Remote Desktop Protocol (RDP) and maintain access,” the report says.

The malicious extension loads JavaScript from a different website. This extension allows attackers to access data from all the websites that the victim visits, so experts deduce that hackers try to steal cookies and passwords right from the browser.

According to the report of the experts in digital forensics, no malware has been used during the Stolen Pencil campaign. Instead this hacker group has resorted to the use of RPD to access victims’ records. In addition, experts have found evidence of remote access to compromised systems on a daily basis.

Researchers also discovered a ZIP file that contains tools for port scanning, memory and password dump and other hacking tasks. Among the tools found are KPortSca, PsExec, the Eternal exploit set, and tools such as Network Password Recovery, Remote Desktop PassView, SniffPass and WebBrowserPassView.

It is likely that this campaign will only be a small sample of the scope of the activities of this group of hackers. After analyzing the methods and tools used by these malicious actors, the experts have concluded that the attacks came from North Korea.

“While we were able to get information on hackers’ tools, techniques and procedures behind the Stolen Pencil campaign, it is clear that this is just a small glimpse of their activities. Despite its wide range, these hackers resort to relatively simple techniques and exploit tools that are already in the attacked systems; as is often said in cybersecurity, these attackers “live off the land”, the experts mentioned.