Suspected North Korean hackers target universities using Chrome extension

Pyongyang's hackers have expanded their targeted base, according to ASERT, the threat intelligence group of Netscout’s Arbor Networks.
Pyongyang, North Korea -- Wikicommons CC2.0

While North Korean hackers are known for stealing money to finance Kim Jong Un’s authoritarian regime, Pyongyang may also be engaging in a cyber-espionage campaign targeting universities, new research shows.

The hacking operation, which began in May, if not earlier, uses malicious Google Chrome extensions to gain a foothold into a victim’s computer, according to ASERT, the threat intelligence group of Netscout’s Arbor Networks.

Once the hackers compromised a target network, they used “off-the-shelf tools,” like remote desktop protocol, to retain access to the network, according to ASERT.  The goal of the operation, dubbed “Stolen Pencil,” appears to be maintaining persistent access; researchers found no evidence of data theft.

“A large number of the victims, across multiple universities, had expertise in biomedical engineering, possibly suggesting a motivation for the attackers’ targeting,” states the research, which was published Wednesday. The malicious extensions have been removed from the Google Play Store, ASERT says.


Although ASERT did not definitively tie the hackers to North Korea, clues point to the Hermit Kingdom. Use of off-the-shelf tools and a cryptojacker are typical of the North Koreans, and the hackers’ poor operational security showed that Korean was their language of choice in websites they viewed and in their keyboard usage, researchers said.

ASERT did not specify the location of the universities being targeted. However, one Twitter user documented a spearphishing attempt in the campaign sent from a compromised or mock Dartmouth College email address that included the words “nuclear deterrence” as a lure.

The spearphishing email was sent to a person who specializes in Korean affairs at a think tank, a source familiar with the matter told CyberScoop.

This is not the first apparent North Korean cyber-espionage operation aimed at research communities. In September 2013, Kaspersky Lab documented a suspected North Korean campaign against South Korean think tanks.


The Chrome extension hashes found in the new campaign exposed by ASERT tie the activity to the cyber-espionage group identified by Kaspersky in 2013, ZDNet reported.

It’s not only money they’re after

A trademark of North Korea’s computer operatives is their aggressive targeting of financial institutions around the world. In October, cybersecurity company FireEye revealed a Pyongyang-linked group that had tried to steal $1.1 billion. But it’s not just banks that are in the crosshairs. The United States has attributed the 2014 cyberattack on Sony Pictures Entertainment and the 2017 WannaCry ransomware outbreak to North Korea. And there is more evidence, aside from the ASERT research, that North Korea-linked hackers are expanding their target base to other industries.

Dmitri Alperovitch, CTO and co-founder of cybersecurity company CrowdStrike, said his company has recently observed an uptick in targeting from North Korean hackers, “including an attempted intrusion into a manufacturing company that may signal an expansion into economic espionage.”

In tracking North Korean hacking groups for a decade, CrowdStrike has seen “continued growth in the sophistication of their tradecraft,” Alperovitch told CyberScoop.


As Pyongyang expands its hacking targets, the United States has struggled to find ways to deter North Korea in cyberspace. In October, the FBI quietly told American companies that North Korean government hackers will keep targeting financial institutions worldwide despite the U.S. government’s attribution of such activity to Pyongyang.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts