North Korean hackers continue attacks on cryptocurrency businesses
North Korean hackers have continued their assault on cryptocurrency exchanges and related businesses, cyber-security firm Kaspersky Lab said yesterday in a report.
The company said it detected ongoing campaigns targeting the staff of cryptocurrency businesses with malicious documents that later would download and install either Windows or Mac malware.
The current ongoing attacks are a direct continuation of activity that Kaspersky previously documented last August in the Operation AppleJeus report.
That report detailed a series of attacks by the Lazarus Group (a codename given to a division of North Korea's state hackers) that targeted Asia-based cryptocurrency exchanges.
The report also detailed the first use of Mac malware by North Korean hackers, which now appears to have become a de-facto mode of operation.
Kaspersky's latest update shows that the group has not stopped their attacks after having their activities exposed --which isn't a surprise, as North Korean hackers tend to continue attacks even after public disclosure, unlike their Chinese or Russian counterparts that typically halt operations and rotate server infrastructure to hide their tracks.
North Korean hackers responsible for $670 million in cyberthefts
By now, it is widely known that North Korean hacking activities are usually split down the middle. Some hacking efforts focus on intelligence gathering and cyber-espionage, while other Lazarus operations are purely centered around the theft of fiat currency from real-world banks or cryptocurrency funds from online exchanges.
A report published earlier this month and authored by the United Nations panel on threat intelligence concluded that North Korean hackers stole around $571 million from at least five cryptocurrency exchanges in Asia between January 2017 and September 2018. The report also claimed that the Pyongyang regime amassed nearly $670 million in foreign and virtual currency through cyberthefts.
The UN report echoes two other reports published in October 2018, which also blamed North Korean hackers for two cryptocurrency scams and five trading platform hacks.
A FireEye report from October 2018 also blamed North Korean hackers for carrying out bank heists of over $100 million.
Another report published in January this year claimed that North Korean hackers infiltrated Chile national ATM network after tricking an employee to run malicious code during a Skype job interview, showing the resolve Lazarus Group operators usually have when they have to infiltrate organizations in search for funds to steal.
New cryptocurrency hacks happening every week
In the meantime, hacks of cryptocurrency exchanges continue to happen on a weekly basis, and in many instances, users and threat analysts often wonder if this is just the latest work of North Korean hackers (or some inside job).
CoinBene's unannounced 'Maintenance' causing concerns it has been hacked ($40m worth of ERC-20 tokens have left its wallets) pic.twitter.com/6Hjh6Y82aa
— #sns (@cryptoSNS_) March 26, 2019
DragonEx cryptocurrency exchange said it was hacked last Sunday, March 24. pic.twitter.com/kQqGA4ctlR
— Catalin Cimpanu (@campuscodi) March 27, 2019
Pyongyang cyber-espionage operations in full throttle
But besides operations focused on money theft, North Korean hackers are also still busy with their intelligence gathering and relentless cyber-espionage operations, which have also never stopped.
South Korean security researchers are exposing such attacks on South Korean users and government organizations on a daily basis, exposing new spear-phishing campaigns with different lures at an astounding pace.
#NorthKorea #DPRK #Hack #APT_Attack #Phishing #NK_Language #Clue
— cyberwar15 (@cyberwar_15) March 26, 2019
North Korea continues cyber attacks on South Korea. pic.twitter.com/Xg30eQ5Xki
The Kimsuky group distributed malware through watering hole attack on South Korean sites. pic.twitter.com/Xgq0Ci1zE2
— Simon Choi (@issuemakerslab) March 21, 2019
Attacks seem targeting conference participants in the #Korean #ICT industry with RLO character to make the malicious .src executable look like a legitimate PDF file. A conference invitation is displayed to hide the malicious behavior of payload #DarkKomet.https://t.co/mseUgFboGw pic.twitter.com/mzrRruuHMO
— 360 Threat Intelligence Center (@360TIC) March 22, 2019
We published our analysis concerning the recent campaign using the fake #Cisco job offer in #korea. We linked it to other campaigns in 2017. Same macros, code overlaps and same TTPs https://t.co/Dm7vjrmi0P pic.twitter.com/4o7z2n9L8i
— Paul Rascagnères (@r00tbsd) January 30, 2019
Not all of these operations are limited to South-East Asia and North America region were North Korean hackers usually tend to gather threat intelligence from.
A report published yesterday by Israeli newspaper Haaretz revealed that North Korea's Lazarus Group also targeted a private Israeli defense company in search for sensitive information in what the newspaper called one of the first North Korean hacks against Israel.
In spite of being such a small state and under heavy economic sanctions, North Korea has managed to become one of today's most active cyber actor and an adversary to be feared.
Despite being called out by governments around the world for its practice, the Pyongyang hackers have gone about their business as normal.
North Korea's history of bold cyber attacks
Related malware and cybercrime coverage:
- Police Federation hit by ransomware attack
- Google fixes Chrome 'evil cursor' bug abused by tech support scam sites
- Lithuanian man pleads guilty to scamming Google and Facebook out of $123 million
- Hackers abuse Magento PayPal integration to test validity of stolen cards
- LockerGoga bug crashes ransomware before encrypting files
- Top dark web marketplace will shut down next month
- How the United Nations helps fight global cybercrime TechRepublic
- Google blocked 2.3 billion bad ads in 2018 CNET