Get all your news in one place.
100’s of premium titles.
One app.
Start reading
IT Pro
IT Pro
Technology
Zach Marzouk

North Korean hackers plot Gmail theft attacks via Chrome extension

South Korea and Germany have released a joint cyber security advisory warning that North Korean hackers are trying to steal Gmail emails through a malicious Chrome extension.

The National Intelligence Service (NIS) of the Republic of Korea and the German Bundesamt für Verfassungsschutz (BfV) have warned that Kimsuky, a group of North Korean hackers also tracked as 'Velvet Chollima' and 'Thallium', are focusing their attacks on researchers focusing on North Korea and the Korean Peninsula.

The attackers used a spear phishing email to install a malicious Chromium extension via a link. When the victim logs into their Gmail, the extension is activated and sends the stolen email content to the attacker’s server, bypassing security settings.

The hacking group also uses Android malware to get further access to a victim’s device. After stealing a victim’s Google account information through the phishing technique, the attacker also registers a malicious app on the Google Play Console and adds the account as a test target.

Analysis of the attacks showed that the attacker then logs in to a victim’s Google account on a PC and requests installation of the malicious app onto the victim’s smartphone, which is linked to the Google account. This is done through Google Play’s synchronisation feature.

Kimsuky makes use of three malware strains called FastFire, FastViewer, and FastSpy, according to Cyware.  The malware allows an attacker to track users’ locations, collect keystrokes, record camera data, intercept phone calls, and save documents.

The North Korean hacking group has used malicious browser extensions in the past to steal data from Gmail and AOL sessions.

Cyber security firm Volexity discovered the extension, called ‘SHARPEXT’, in August 2022. The extension monitored webpages to sift through emails and attachments from victims’ mailboxes.

The spyware was linked to a threat actor called SharpTongue, another known alias of Kimsuky. The browser extension was also installed using spear phishing and social engineering tactics, by encouraging victims to access a malicious document.

In July 2022, Kimsuky was named on the US State Department list of North Korean hacking groups on which it was actively seeking information, posting a $10 million dollar reward for useful submissions.

Other notorious groups on the list included Lazarus Group - the group blamed for 2017's WannaCry attack, Andariel, and Bluenoroff. 

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.