The North Korean threat group has been keeping up its job recruitment ploys, to steal developers’ corporate codebases and secrets

When are state-sponsored cyber threat actors not satisfied with just launching sophisticated cyberattacks?

Answer: When they also need social engineering campaigns to spear-phish software developers around the world.

North Korean threat actors Lazarus Group have recently been baiting Python developers seeking job opportunities on LinkedIn. On the pretext of testing job applicants’ coding skills, the threat group had been using trojanized documents to gain entry into victims’ computers. Should the latter be a corporate machine or any workstation containing useful code repositories or sensitive data, the attackers would gain various secrets for use in future targeted campaigns

Cybersecurity analysts believe this approach is part of the threat group’s August 2023 “VMConnect campaign” on open source repositories. According to Keeper Security’s VP (Security & Compliance), Patrick Tiquet, state-sponsored threat actors are “blending human manipulation with technical exploitation, highlighting the necessity for everyone to stay vigilant.” This means:

  • For developers, this serves as a wake-up call that even something as routine as a coding test can be used as a tool for attack. Additionally, the fact that malicious software is being delivered through repositories like PyPI shows how easily attackers can exploit familiar channels.
  • Software supply chain security needs to be bolstered: not just for production code, but also for pre-production development code. “Malicious packages can be inserted into the development process long before the code reaches production, putting entire projects at risk,” Tiquet noted.

Developers are reminded to exercise caution when approached with unsolicited job opportunities, especially from unfamiliar recruiters or projects. “Verifying the legitimacy of job offers, closely inspecting the sources of coding assignments, and ensuring all software packages come from verified, trusted sources are essential steps,” Tiquet concluded.

In 2023, the threat group had also targeted Amazon employees, dangling “dream jobs” laced with phishing links that encouraged victims to download malware.