State-sanctioned North Korean hackers allegedly continue to target cryptocurrency companies and exchanges, particularly as a means of enriching the nation and countering the effects of imposed economic sanctions, according to newly released reports.
A pair of reports, from Dell Technologies’ SecureWorks and Intezer, describe a spear phishing campaign whose lure emails feature a fake job opening at a cryptocurrency company. Meanwhile, Korean and global news outlets have reported that South Korea’s National Intelligence Service spy agency suspects that North Korea is responsible for hacking attacks on one of its country’s cryptocurrency exchanges.
On Friday, researchers from Secureworks’ Counter Threat Unit reported that the Lazarus Group, an APT actor commonly linked to North Korea, commenced a spear phishing campaign on Oct. 25, using emails that falsely advertise an open CFO position at a European cryptocurrency company. In actuality, it appears the attackers copied a LinkedIn CFO job profile from a cryptocurrency company based in Asia and slightly tweaked it to create the phishing content. (Intezer released a similar report on Dec. 12.)
The emails used in this campaign, which is likely still ongoing, include a Word attachment containing malicious macros. The attackers attempt to socially engineer recipients into enabling these macros by asking the user to accept the Enable Editing and Enable Content functions. Doing so opens a decoy document, while secretly installing a first-stage remote access trojan capable of downloading additional malware.
SecureWorks notes that elements in both the macros and the first-stage RAT, as well as components in the custom command-and-control protocol, share commonalities with former campaigns attributed to Lazarus.
The company also warns that this latest attack is part of an larger overall movement on North Korea’s part to engage in malicious activities related to cryptocurrency. Indeed, SecureWorks reports that it has found evidence dating back to 2013 of “multiple usernames originating from a North Korean IP addresses… taking part in bitcoin research,” and using proxies to mask the originating IP address.
“CTU researchers assess that the North Korean threat against cryptocurrency will remain elevated in the foreseeable future,” SecureWorks predicts.
Meanwhile, The Chosun Ilbo, the Yonhap News Agency, the BBC and other news agencies have reported, citing unnamed sources, that South Korea’s National Intelligence Service believes its neighbor to the north hacked the Seoul-based Bithumb cryptocurrency exchange last February, stealing millions of dollars as well as the personal information of roughly 30,000 people.
According to the BBC, the stolen funds were originally worth $7 million but jumped in value to $82.7 million at time of publication last Saturday. The hackers reportedly compromised Bithumb via an employee’s home PC, and subsequently began trading bitcoin and ethereum on the exchange.
The BBC also cited reports that the hackers attempted to extort Bithumb, offering to delete traders’ stolen personal information in exchange for an additional $5.5 million payment.
The Chosun Ilbo reports that the South Korean government has fined Bithumb the equivalent of nearly $54,000 for the breach.
The National Intelligence Service also reportedly believes that North Korea hacked the exchanges Youbit (formerly known as Yapizon) and Coinis this year.