Threat Management, Threat Intelligence, Threat Management

Cryptocurrency also a likely target in North Korean campaign on security researchers

A North Korean flag is seen at the North Korean Embassy compound on Feb. 22, 2017, in Kuala Lumpur, Malaysia. (Photo by Rahman Roslan/Getty Images)

North Korea's continued campaign to breach cybersecurity researchers puts it in a position to capitalize on high-impact research and cutting-edge training materials to leverage for future attacks. It's also a chance to steal their wallets, note cybersecurity experts following the campaign.

Last week, ESET reported on Twitter that "trojanized" versions of the malware reverse-engineering research tool Ida Pro used known North Korean infrastructure. It appears to be the same group who targeted researchers using social engineering in January, through fake social media profiles set up for a sham company.

"By targeting researchers the attackers can gain access to sensitive information such as information about vulnerabilities, exploits, private tools, training material, etc.," Anton Cherepanov, the ESET researcher who first noticed the Ida Pro gimmick, told SC Media via email.

"[But]," he added, "some of the victims of the original attack back in January claim that attackers were looking for bitcoin wallets."

That included Richard Johnson, an original target of the attack in January, who tweeted that the actors seemed to target credentials and cryptocurrency wallets.

The Hermit Nation is a unique beast in cyberspace. On the one hand, it has traditional espionage operations. On the other, it has been perhaps the predominant player in state-sanctioned grand larceny, using cybercrime to compensate for lost revenue due to sanctions — most famously, the SWIFT banking heist against Bangledesh and the WannaCry ransomware fiasco. Operatives are also known to freelance their hacking skills for other enterprises, according to a DHS release in April of last year.

Since the Ida Pro gambit reused known infrastructure, it likely would only ensnare researchers who lack enterprise security around their security research, noted Greg Lesenwich, a threat intelligence analyst with Recorded Future.

That said, Cherepanov said he believed skilled researchers could still miss the tampering; the software functioned as normal.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.