In a report on Monday, researchers at security firm FireEye said they observed threat actors linked to Pyongyang have targeted at least three South Korean cryptocurrency exchanges since May this year to steal funds.
In these attacks, hackers used spear-phishing attacks to target the personal email accounts of employees at digital currency exchanges using lures related to taxes or by deploying malicious malware such as PEACHPIT and other variants. The malware used in these attacks have been linked to North Korean groups suspects of attacks targeting global banks last year, FireEye said.
At least one virtual currency exchange was successfully compromised in late May.
“Add to that the ties between North Korean operators and a watering hole compromise of a bitcoin news site in 2016, as well as at least one instance of usage of a surreptitious cryptocurrency miner, and we begin to see a picture of North Korean interest in cryptocurrencies,” FireEye researcher Luke McNamara wrote in a blog post published Monday (11 September).
In April, four digital wallets at Seoul-based cryptocurrency exchange Yapizon were compromised by hackers who stole more than 3,800 bitcoin ($16.3m, £12.4m at current rates). However, FireEye noted that some of the tactics and procedures reportedly used during this attack were different than the ones seen in the May attacks noting that there are “no clear indications of North Korean involvement.”
“While bitcoin and cryptocurrency exchanges may seem like odd targets for nation state actors interested in funding state coffers, some of the other illicit endeavours North Korea pursues further demonstrate interest in conducting financial crime on the regime’s behalf,” the firm said.
“As the regulatory environment around cryptocurrencies is still emerging, some exchanges in different jurisdictions may have lax anti-money laundering controls easing this process and make the exchanges an attractive tactic for anyone seeking hard currency.”
Although North Korean hackers’ new emphasis on finances do mark a shift from their previous patterns of cyberespionage for traditional nation state activities, FireEye says this new activity is “not all that surprising” given North Korea’s position as a “pariah nation cut off from much of the global economy” and a country that “employs a government bureau to conduct illicit economic activity”.
“Bitcoin and other cryptocurrencies have increased in value in the last year, nation states are beginning to take notice,” FireEye said.”Consequently, it should be no surprise that cryptocurrencies, as an emerging asset class, are becoming a target of interest by a regime that operates in many ways like a criminal enterprise.”
Security experts and intelligence agencies have previously identified connections between North Korean hackers and the WannaCry ransomware attacks that ensnared more than 300,000 computers in over 150 countries across the globe earlier this year. Pyongyang, however, has dismissed the allegations as “ridiculous”.
“While at present North Korea is somewhat distinctive in both their willingness to engage in financial crime and their possession of cyber espionage capabilities, the uniqueness of this combination will likely not last long-term as rising cyber powers may see similar potential,” the firm said. “Cyber criminals may no longer be the only nefarious actors in this space.”