Cyberattack on GitHub customers linked to North Korean hackers, Microsoft says

Microsoft is attributing a cyberattack on customers of software development platform GitHub to a previously unknown hacking group based in North Korea.

This week, GitHub’s Alexis Wales published an alert about a “a low-volume social engineering campaign” targeting the personal accounts of employees of technology firms. The hackers used “a combination of repository invitations and malicious npm package dependencies.”

“Many of these targeted accounts are connected to the blockchain, cryptocurrency, or online gambling sectors. A few targets were also associated with the cybersecurity sector,” Wales said, adding that no GitHub or npm systems were compromised in the campaign.

GitHub attributed the attacks to a group known at Microsoft (which owns GitHub) by the name “Jade Sleet” and called TraderTraitor by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

Sleet is Microsoft’s naming signifier for North Korean hackers and Jade is a previously unused identifier.

A spokesperson from Microsoft confirmed to Recorded Future News that the company “has not publicly discussed this threat actor before.”

The GitHub alert said Jade Sleet “mostly targets users associated with cryptocurrency and other blockchain-related organizations, but also targets vendors used by those firms.”

GitHub explained that the attack chain started with Jade Sleet impersonating a developer or recruiter by creating a fake personal account on GitHub and other social media platforms like LinkedIn, Slack and Telegram.

Some attacks have involved legitimate accounts that were taken over by hackers. The group often starts contact on one platform before offering to switch to another.

“After establishing contact with a target, the threat actor invites the target to collaborate on a GitHub repository and convinces the target to clone and execute its contents. The GitHub repository may be public or private,” Wales said.

“The GitHub repository contains software that includes malicious npm dependencies. Some software themes used by the threat actor include media players and cryptocurrency trading tools. The malicious npm packages act as first-stage malware that downloads and executes second-stage malware on the victim’s machine.”

GitHub noted that the hackers typically publish their malicious packages only when they extend a fraudulent repository invitation in an effort to limit the amount of exposure to the malicious tools.

Much of their findings were echoed in research done by cybersecurity experts at Phylum Security in June.

GitHub said it is suspending the npm and GitHub accounts associated with the campaign, publishing attack indicators and filing abuse reports with the domain hosts used by the attackers.

The platform urged users to check whether they were contacted by the group and to generally be wary of any contact through social media platforms.

North Korean hackers have made a point of targeting cryptocurrency exchanges, commercial banks and e-commerce platforms, launching dozens of attacks against crypto firms and stealing billions of dollars worth of cryptocurrency.

South Korea's state intelligence agency said on Wednesday that North Korea stole about $700 million worth of cryptocurrency last year, enough money to enable the dictatorship “to fire 30 intercontinental ballistic missiles.”

These campaigns are largely meant to bolster the North Korean government’s “continued efforts to generate funds for the regime, which remains under significant international sanctions,” according to research published last month by Recorded Future’s Insikt Group.

The TraderTraitor group was highlighted by CISA last year in an advisory that said several U.S. government agencies have observed North Korean cyber actors specifically targeting a “variety of organizations in the blockchain technology and cryptocurrency industry.”

“Intrusions begin with a large number of spearphishing messages sent to employees of cryptocurrency companies—often working in system administration or software development/IT operations (DevOps)—on a variety of communication platforms,” CISA said in April 2022.

“The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications, which the U.S. government refers to as ‘TraderTraitor.’”

North Korean hackers were accused on Thursday of being behind the breach of software company JumpCloud. The attack was part of an attempted supply-chain attack targeting cryptocurrency companies.