North Korean hackers continue attacks on cryptocurrency businesses

Lazarus Group hackers seamlessly integrate Mac malware into their normal attack routine.

north-korea-flag.png

Recorded Future

North Korean hackers have continued their assault on cryptocurrency exchanges and related businesses, cyber-security firm Kaspersky Lab said yesterday in a report.

The company said it detected ongoing campaigns targeting the staff of cryptocurrency businesses with malicious documents that later would download and install either Windows or Mac malware.

AppleJeus mode of operation

Image: Kaspersky Lab

The current ongoing attacks are a direct continuation of activity that Kaspersky previously documented last August in the Operation AppleJeus report.

That report detailed a series of attacks by the Lazarus Group (a codename given to a division of North Korea's state hackers) that targeted Asia-based cryptocurrency exchanges.

The report also detailed the first use of Mac malware by North Korean hackers, which now appears to have become a de-facto mode of operation.

Kaspersky's latest update shows that the group has not stopped their attacks after having their activities exposed --which isn't a surprise, as North Korean hackers tend to continue attacks even after public disclosure, unlike their Chinese or Russian counterparts that typically halt operations and rotate server infrastructure to hide their tracks.

North Korean hackers responsible for $670 million in cyberthefts

By now, it is widely known that North Korean hacking activities are usually split down the middle. Some hacking efforts focus on intelligence gathering and cyber-espionage, while other Lazarus operations are purely centered around the theft of fiat currency from real-world banks or cryptocurrency funds from online exchanges.

A report published earlier this month and authored by the United Nations panel on threat intelligence concluded that North Korean hackers stole around $571 million from at least five cryptocurrency exchanges in Asia between January 2017 and September 2018. The report also claimed that the Pyongyang regime amassed nearly $670 million in foreign and virtual currency through cyberthefts.

The UN report echoes two other reports published in October 2018, which also blamed North Korean hackers for two cryptocurrency scams and five trading platform hacks.

A FireEye report from October 2018 also blamed North Korean hackers for carrying out bank heists of over $100 million.

Another report published in January this year claimed that North Korean hackers infiltrated Chile national ATM network after tricking an employee to run malicious code during a Skype job interview, showing the resolve Lazarus Group operators usually have when they have to infiltrate organizations in search for funds to steal.

New cryptocurrency hacks happening every week

In the meantime, hacks of cryptocurrency exchanges continue to happen on a weekly basis, and in many instances, users and threat analysts often wonder if this is just the latest work of North Korean hackers (or some inside job).

Pyongyang cyber-espionage operations in full throttle

But besides operations focused on money theft, North Korean hackers are also still busy with their intelligence gathering and relentless cyber-espionage operations, which have also never stopped.

South Korean security researchers are exposing such attacks on South Korean users and government organizations on a daily basis, exposing new spear-phishing campaigns with different lures at an astounding pace.

Not all of these operations are limited to South-East Asia and North America region were North Korean hackers usually tend to gather threat intelligence from.

A report published yesterday by Israeli newspaper Haaretz revealed that North Korea's Lazarus Group also targeted a private Israeli defense company in search for sensitive information in what the newspaper called one of the first North Korean hacks against Israel.

In spite of being such a small state and under heavy economic sanctions, North Korea has managed to become one of today's most active cyber actor and an adversary to be feared.

Despite being called out by governments around the world for its practice, the Pyongyang hackers have gone about their business as normal.

Related malware and cybercrime coverage: