North Korea's continued campaign to breach cybersecurity researchers puts it in a position to capitalize on high-impact research and cutting-edge training materials to leverage for future attacks. It's also a chance to steal their wallets, note cybersecurity experts following the campaign.
Last week, ESET reported on Twitter that "trojanized" versions of the malware reverse-engineering research tool Ida Pro used known North Korean infrastructure. It appears to be the same group who targeted researchers using social engineering in January, through fake social media profiles set up for a sham company.
"By targeting researchers the attackers can gain access to sensitive information such as information about vulnerabilities, exploits, private tools, training material, etc.," Anton Cherepanov, the ESET researcher who first noticed the Ida Pro gimmick, told SC Media via email.
"[But]," he added, "some of the victims of the original attack back in January claim that attackers were looking for bitcoin wallets."
That included Richard Johnson, an original target of the attack in January, who tweeted that the actors seemed to target credentials and cryptocurrency wallets.
The Hermit Nation is a unique beast in cyberspace. On the one hand, it has traditional espionage operations. On the other, it has been perhaps the predominant player in state-sanctioned grand larceny, using cybercrime to compensate for lost revenue due to sanctions — most famously, the SWIFT banking heist against Bangledesh and the WannaCry ransomware fiasco. Operatives are also known to freelance their hacking skills for other enterprises, according to a DHS release in April of last year.
Since the Ida Pro gambit reused known infrastructure, it likely would only ensnare researchers who lack enterprise security around their security research, noted Greg Lesenwich, a threat intelligence analyst with Recorded Future.
That said, Cherepanov said he believed skilled researchers could still miss the tampering; the software functioned as normal.