Security Experts:

Connect with us

Hi, what are you looking for?



North Korea-linked Hackers Target Academic Institutions

A threat group possibly originating from North Korea has been targeting academic institutions since at least May of this year, NetScout’s security researchers reveal.

A threat group possibly originating from North Korea has been targeting academic institutions since at least May of this year, NetScout’s security researchers reveal.

The attackers use spear-phishing emails that link to a website where a lure document attempts to trick users into installing a malicious Google Chrome extension. Following initial compromise, off-the-shelf tools are used to ensure persistence. 

The campaign likely hit other targets as well, though NetScout says that only those domains targeting academia were intended to install a malicious Chrome extension. Many of the intended victims, across multiple universities, had expertise in biomedical engineering. 

The actors behind the attack, however, displayed poor OPSEC, which allowed the researchers to find open web browsers in Korean, English-to-Korean translators, and keyboards switched to Korean. 

Built-in Windows administration tools and commercial off-the-shelf programs were employed to “live off the land”, and Remote Desktop Protocol (RDP) was also used to ensure continuous access. However, because there is no evidence of data theft, the motivation behind the attacks is largely uncertain.

The campaign, which NetScout refers to as STOLEN PENCIL, employed many basic phishing pages, the researchers say. The more sophisticated phishing pages that targeted academia displayed a benign PDF in an IFRAME and redirected users to a “Font Manager” extension from the Chrome Web Store.

The extension loads JavaScript from a separate site, but the content of the file was found to contain legitimate jQuery code, likely because the attacker replaced the malicious code to hinder analysis. The malicious extension would read data from all of the accessed websites, suggesting that the attackers were looking to steal browser cookies and passwords. 

Instead of malware, the STOLEN PENCIL actors employed RDP to access the compromised machines, with the remote access occurring daily from 06:00 to 09:00 UTC (01:00-04:00 EST).

STOLEN PENCIL also used two signed sets of tools, namely MECHANICAL and GREASE. The former logs keystrokes and replaces an Ethereum wallet address with the attackers’, while the latter adds a Windows administrator account to the system and would also enable RDP.

The security researchers also discovered an archive containing tools for port scanning, memory and password dumping, and more. These include KPortScan, PsExec, batch files for enabling RDP, Procdump, Mimikatz, the Eternal suite of exploits, and Nirsoft tools such as Mail PassView, Network Password Recovery, Remote Desktop PassView, SniffPass, and WebBrowserPassView.

“Clearly this toolset can be used to scavenge passwords stored in a wide array of locations. Using a combination of stolen passwords, backdoor accounts, and a forced-open RDP service, the threat actors are likely to retain a foothold on a compromised system,” NetScout notes. 

The STOLEN PENCIL campaign likely represents only a small set of the threat actor’s activity. The use of basic techniques, off-the-shelf programs, the aforementioned cryptojacker, and the use of Korean language suggests the actor is of North Korean origin, the security researchers say. 

“They spent significant time and resources doing reconnaissance on their targets, as evidenced by the comments left on the Chrome extension page. Their main goal appears to be gaining access to compromised accounts and systems via stolen credentials and holding on to it. We were not able to find any evidence of data theft – their motives for targeting academia remains murky,” NetScout concludes. 

Related: U.S. Links North Korean Government to ATM Hacks

Related: Researchers Link New NOKKI Malware to North Korean Actor

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...