Google’s Threat Analysis Group (TAG) announced in a press release on Thursday that an unidentified group of hackers capitalized five zero-day vulnerabilities over 2019.
The company said that the majority of victims targeted by the hackers were “from North Korea or individuals who worked on North Korea-related issues”.
“Finding this many zero-day exploits from the same actor in a relatively short time frame is rare,” Toni Gidwani, a security engineering manager at TAG, said in the press release. “The exploits were delivered via compromised legitimate websites (e.g. watering hole attacks), links to malicious websites, and email attachments in limited spear phishing campaigns”.
Gidwani noted that the zero-day flaws affected Android, Chrome, iOS, Internet Explorer and Windows operating systems.
Although Google refused to speculate who might be responsible for these attacks, the Russian security firm Kaspersky associated Google's discoveries with DarkHotel, a hacker group allegedly targeting North Koreans in the past and suspected of working for the South Korean government, according to WIRED.
Hours following the TAG report, Kaspersky reportedly matched two of the vulnerabilities — one in Windows, one in Internet Explorer — with those it earlier linked to DarkHotel. Previously, the security firm detected those bugs exploited to plant known DarkHotel malware on the devices of their customers.
Since TAG attributed all five zero-days to a single hacker group, "it’s quite likely that all of them are related to DarkHotel,” says Costin Raiu, the head of Kaspersky's Global Research & Analysis Team, cited by WIRED.
Raiu noted that DarkHotel are “interested in getting information such as documents, emails, pretty much any bit of data they can from these targets”.