A recent cyberattack campaign named Operation SyncHole has targeted six organizations in South Korea. The attacks were orchestrated by the Lazarus Group, a notorious hacking entity linked to North Korea. This campaign targeted industries like software, IT, finance, semiconductor manufacturing, and telecommunications. Compromise evidence first appeared in November 2024. The hackers employed a sophisticated approach, utilizing a watering hole strategy alongside exploiting software vulnerabilities unique to South Korea.
The operation exploited a one-day vulnerability in Innorix Agent for lateral movement and weaknesses in Cross EX, software used for secure transactions in South Korea. Tools like ThreatNeedle, AGAMEMNON, wAgent, SIGNBT, and COPPERHEDGE were used, allowing the attackers to establish persistence, gather intelligence, and dump credentials. The attack proceeded in two phases: initial deployment of ThreatNeedle and wAgent, followed by SIGNBT and COPPERHEDGE for ongoing access and intelligence collection. Tactics included using LPEClient for profiling and AGAMEMNON for payload delivery, employing techniques like Hell’s Gate to bypass security.
This campaign underlines a trend of targeted assaults on South Korean supply chains, following patterns seen in the Andariel sub-cluster of the Lazarus Group. Kaspersky’s investigation uncovered a zero-day file download vulnerability in Innorix Agent, which has been patched. The Lazarus Group continues refining its methods, posing a persistent threat to South Korean supply chains in the landscape of international cyber warfare.
