Cloud Security, Threat Intelligence

Google Cloud, AWS targeted by North Korean hacking group

North Korea flag is depicted on the screen with the program code. The concept of modern technology and site development

North Korean state-backed threat operation UNC4899, also known as TraderTraitor, Slow Pisces, Jade Sleet, and PUKCHONG, has targeted Google Cloud and Amazon Web Services environments in separate attacks that enabled the theft of millions worth of cryptocurrency, The Hacker News reports.

After achieving initial access via stolen credentials and long-term access keys in Google Cloud and AWS instances, respectively, UNC4899 proceeded to launch the GLASSCANNON downloader that distributes the PLOTTWIST and MAZEWIRE backdoors, according to an analysis from Google Cloud. TraderTraitor was recently reported by Wiz researchers to have been targeting cloud environments to compromise users rather than the platforms. Such findings come as North Korean hacking collective Lazarus Group was noted by Sonatype to have been increasingly leveraging open-source packages for malware delivery. "These packages mimic popular developer tools but function as espionage implants, designed to steal secrets, profile hosts, and open persistent backdoors into critical infrastructure," said Sonatype researchers.

An In-Depth Guide to Cloud Security

Get essential knowledge and practical strategies to fortify your cloud security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds