Skip to content ↓ | Skip to navigation ↓

Computer users are being reminded once again to take care of the browser extensions they install after security experts discovered a hacking campaign that has been targeting academic institutions since at least May 2018.

Researchers at Netscout have warned of a state-sponsored attack dubbed “Stolen Pencil” that is thought to originate from North Korea.

The state-sponsored attack is relatively unusual for its use a malicious Google Chrome browser extension.

The hackers are said to have sent out emails to their targeted victims posing as academic institutions in order to trick them into clicking on a link.

In a message posted in September, one Twitter user described how they had received an email claiming to come from Dartmouth College. The email, which used the subject of nuclear deterrence as a lure, encouraged the recipient to visit a web link that contained a benign PDF file.

Upon reaching the webpage, the targeted user would be redirected to the installation page of a malicious browser extension called “Font Manager” in the Chrome Web Store.

In an attempt to increase the likelihood of targeted users installing the browser extension, Font Manager’s entry in the Chrome Web Store was accompanied by many “five star” reviews copied from other extensions. Amusingly, even the text of poor reviews was copied by those attempting to make their extension appear more reputable – which presumably wasn’t their intention.

Once in place, the extension was able to steal cookies and passwords from users’ Chrome browser sessions. Some compromised computers were also found to have had their email forwarded.

Researchers realized that the servers used to host the phishing sites had previously been used in other attacks that had compromised university networks.

Malware used in the campaign was designed to log keystrokes, hijack Ethereum cryptocurrency transactions and allow hackers to gain a foothold inside an institution – which they then exploited remotely via Remote Desktop Protocol (RDP).

Hackers typically accessed compromised systems between 06:00-09:00 UTC (which is the early hours of the morning for the East coast of the United States, where many of the targeted academic institutions were based).

However, although their intentions were presumably intended to be surreptitious, the hackers were sloppy. Users found that their computers’ browser opened to Korean webpages including online English-Korean translators, and their keyboards switched to Korean language.

As ZDNet reports, security researchers believe that they have identified three US-based universities and one non-profit institution based in Asia that were targeted in the Stolen Pencil campaign.

Fortunately, Google has now removed the offending extension from the Chrome Web Store. But there is always the possibility that some computers remain compromised as a consequence of the attack. If you suspect your computer may have been infiltrated, it makes sense to change passwords and enable two-factor authentication where possible to reduce the chances of future exploitation.

And, of course, you would be unwise to think that only universities could be targeted in this fashion. In this instance, many of those targeted appear to have had expertise in biomedical engineering (possibly indicating a motivation for those behind the attack), but it could just as easily have been another subject area or industry that found itself in the firing line.

One thing is for certain – determined hackers won’t always be so sloppy about leaving clues on their victims’ desktop.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.