New Evidence Indicates North Korean Hackers Were Behind the Polyfill.io Supply Chain Attack

A 2024 cyber attack involving Polyfill.io was long assumed to be the work of Chinese hackers, but new evidence indicates it was more likely North Korea’s state-sponsored hacking teams making use of a Chinese front company.

The Polyfill.io breach took place in early 2024, after the company was sold to a new China-based owner. Malicious JavaScript soon began appearing in scripts served by the site, ultimately impacting over 100,000 websites. The cybersecurity firm Hudson Rock believes a North Korean team was behind this purchase, based on a breach of the threat actors and the fact that victims had their sites redirect to a money laundering operation known to be used to get money to the regime.

Researchers say “ironclad” evidence points to North Korean involvement

Prior to February 2024, Polyfill.io was widely used by websites as a JavaScript CDN that improved browser compatibility. It was then sold to China-based Funnull, and soon after started injecting malicious JavaScript code into scripts that it served. These scripts would redirect users to gambling or pornography sites.

Since the company was based in China, the consensus for years was that a threat actor based there was behind it. The Hudson Rock researchers say they have collected an “ironclad” trail that points to Funnull being a shell company for government-connected North Korean hackers, however. Much of the evidence comes from a breach of one of the hacker’s own devices by an infostealer belonging to another threat actor; the data collected from their device included credentials for the Funnull DNS management portal and Polyfill Cloudflare tenant, as well as text messages exchanged with other hackers describing malicious domain configuration changes made at Polyfill.

Another cause of the initial confusion about attack attribution is that the victims were being redirected to sites owned by a China-based company called Suncity Group. However, this also appears to be an arm of the North Korean hackers used to launder stolen money back to the national government.

Evidence points to Lazarus involvement

Some evidence from the Hudson Rock report points toward the involvement of the Lazarus hacking group. This is essentially North Korea’s premier hacking team and is thought to be directly controlled by its intelligence services. It is unusual for a state-backed threat group as it focuses more on stealing money (particularly crypto) to fund the government than espionage. The group has a long history spanning back to the 2014 breach of Sony, and the 2016 attack on Bangladesh Bank that resulted in the theft of $81 million USD.

The group is also unique in the creativity of its approaches. It has been known to use elaborate social engineering, such as fake job interviews with video conferencing and multiple rounds. But it also produces a wide range of custom malware and frequently deploys zero-day exploits, adapting its techniques freely as needed. As of late it has focused heavily on attacking weaknesses in decentralized crypto exchanges and services.