North Korean hackers plot Gmail theft attacks via Chrome extension

Abstract image showing a cyber criminal silhouetted against a North Korean flag
(Image credit: Shutterstock)

South Korea and Germany have released a joint cyber security advisory warning that North Korean hackers are trying to steal Gmail emails through a malicious Chrome extension.

The National Intelligence Service (NIS) of the Republic of Korea and the German Bundesamt für Verfassungsschutz (BfV) have warned that Kimsuky, a group of North Korean hackers also tracked as 'Velvet Chollima' and 'Thallium', are focusing their attacks on researchers focusing on North Korea and the Korean Peninsula.

The attackers used a spear phishing email to install a malicious Chromium extension via a link. When the victim logs into their Gmail, the extension is activated and sends the stolen email content to the attacker’s server, bypassing security settings.

The hacking group also uses Android malware to get further access to a victim’s device. After stealing a victim’s Google account information through the phishing technique, the attacker also registers a malicious app on the Google Play Console and adds the account as a test target.

Analysis of the attacks showed that the attacker then logs in to a victim’s Google account on a PC and requests installation of the malicious app onto the victim’s smartphone, which is linked to the Google account. This is done through Google Play’s synchronisation feature.


Defending against malware attacks starts here

The ultimate guide to building your malware defence strategy


Kimsuky makes use of three malware strains called FastFire, FastViewer, and FastSpy, according to Cyware. The malware allows an attacker to track users’ locations, collect keystrokes, record camera data, intercept phone calls, and save documents.

The North Korean hacking group has used malicious browser extensions in the past to steal data from Gmail and AOL sessions.

Cyber security firm Volexity discovered the extension, called ‘SHARPEXT’, in August 2022. The extension monitored webpages to sift through emails and attachments from victims’ mailboxes.

The spyware was linked to a threat actor called SharpTongue, another known alias of Kimsuky. The browser extension was also installed using spear phishing and social engineering tactics, by encouraging victims to access a malicious document.

In July 2022, Kimsuky was named on the US State Department list of North Korean hacking groups on which it was actively seeking information, posting a $10 million dollar reward for useful submissions.

Other notorious groups on the list included Lazarus Group - the group blamed for 2017's WannaCry attack, Andariel, and Bluenoroff.

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.