A state-sponsored North Korean threat actor known as UNC4899 recently executed a sophisticated cloud compromise against a cryptocurrency firm to facilitate a multi-million dollar theft. The operation was characterized by a complex progression from social engineering a single developer to manipulating core cloud databases through advanced technical pivots.
The campaign began when the attackers, also known as Jade Sleet or TraderTraitor, targeted a developer through social engineering by posing as collaborators on an open-source project. This deception led the victim to download a malicious archive file onto a personal device. To move the threat into the corporate environment, the developer unknowingly used AirDrop to transfer the infected file to their work machine, bypassing traditional network perimeters.
Once the file reached the corporate workstation, the developer interacted with its contents using an AI-assisted development environment. This interaction triggered the execution of embedded Python code, which in turn launched a malicious binary designed to mimic a legitimate Kubernetes command-line tool. This binary established a backdoor connection to an attacker-controlled domain, granting the hackers remote access to the employee’s authenticated corporate sessions.
With a foothold established on the workstation, the threat actors pivoted into the organization’s Google Cloud environment. They conducted initial reconnaissance to map out projects and services, eventually identifying and abusing legitimate DevOps workflows. These maneuvers allowed the attackers to harvest sensitive credentials and perform container breakouts, effectively moving beyond isolated segments of the infrastructure to reach the heart of the cloud environment.
The final stage of the attack involved living-off-the-cloud techniques, where the adversaries used legitimate cloud tools to hide their activities. By tampering with Cloud SQL databases and modifying financial logic, the group was able to authorize the illicit transfer of cryptocurrency. This progression highlights a growing trend where personal device vulnerabilities are exploited to bridge the gap into highly secure, cloud-native corporate infrastructures.
Source: UNC4899 Breaches Crypto Firm Using Trojanized File Sent via AirDrop