Thursday 25 September 14:00 - 14:30, Green room
Ryan Sherstobitoff (SecurityScorecard)
In December 2024, a routine software update concealed a global cyber threat. The North Korean state-sponsored Lazarus Group infiltrated trusted development tools, launching a sophisticated supply chain attack code-named Phantom Circuit. This campaign compromised hundreds of victims across cryptocurrency and technology sectors, leveraging advanced obfuscation techniques via proxy servers in Hasan, Russia.
STRIKE's investigation uncovered a critical shift in Lazarus Group's tactics – embedding malware directly into widely used development applications. The attackers utilized an extensive command-and-control (C2) infrastructure, operational since September 2024, to manage exfiltrated data. Their administrative platform, secured behind proxy relays, facilitated persistent remote access and data organization through a hidden React-based interface with Node.js APIs. Further analysis indicated overlap between Phantom Circuit and North Korean IT worker schemes, where state-sponsored actors disguised as freelance developers contributed to compromised software projects.
This study presents a detailed analysis of Phantom Circuit, including its layered infrastructure, anonymization techniques, and global scale of compromise. Our findings indicate:
Our investigation leveraged a combination of OSINT analysis and netflow and STRIKE threat intelligence feeds. We identified key North Korean IP addresses originating traffic to Astrill VPN endpoints. These endpoints then relayed through the Oculus Proxy network, registered to Sky Freight Limited in Hasan, Russia, before reaching the command-and-control infrastructure. Further analysis showed connections between these IPs and previous cyber operations linked to North Korean state-sponsored activities, confirming the involvement of Lazarus Group actors operating from Pyongyang. Additionally, overlaps were identified between Phantom Circuit and North Korea's IT worker schemes, where operatives, masquerading as freelance developers, injected malicious code into software repositories used in global development projects.
This presentation will discuss:
Our analysis highlights the increasing complexity of state-sponsored cyber attacks and the necessity for robust software supply chain security. The insights gained from Phantom Circuit emphasize the urgency of monitoring development environments, verifying software dependencies, and deploying advanced threat intelligence to mitigate such sophisticated intrusions.
Ryan Sherstobitoff Ryan is the Senior Vice President, Threat Research and Intelligence at SecurityScorecard, where he oversees the threat research, collections, and intelligence teams. Prior to SecurityScorecard Ryan was at McAfee Corp, where he led and contributed to nation-state threat research and analysis. He is also the former Chief Corporate Evangelist at Panda Security, where he managed the US strategic response for new and emerging threats. Ryan is widely recognized as a security intelligence expert throughout the country. |
Back to VB2025 conference page