Over the past several months, threat actors believed to have ties with North Korea have been targeting crypto-currency exchanges to obtain hard currencies for the Pyongyang regime, FireEye says.
The attacks, which FireEye has observed since May 2017, are said to be part of a campaign that started in 2016, when banks and the global financial system were hit. Given the impressive spike in value Bitcoin has seen since the beginning of the year, it’s no surprise that threat actors are interested in the potential crypto-currencies have.
Traditionally, North Korean actors have been engaging in activities typically associated with nation-state cyber espionage, but they started shifting focus to conduct cybercrime as of last year. Given the country’s position as a pariah nation that has been cut off from much of the global economy, as well as its tight control of its military and intelligence capabilities, this doesn’t come as a surprise.
North Korea Stealing Bitcoin via hacksAs such, the recently observed interest in crypto-currencies isn’t surprising either, and FireEye considers the recent attacks to be part of a larger campaign that started last year. Since May 2017, the security researchers have observed North Korean actors targeting at least three South Korean crypto-currency exchanges, supposedly in an attempt to steal funds.
The attacks, FireEye says, involved spear-phishing attacks that often targeted the personal email accounts of employees at digital currency exchanges. Tax-themed lures were frequently employed to trick users into installing malware such as PEACHPIT and similar variants, which have been previously linked to North Korean actors.
The spear-phishing attacks started in early May and targeted one crypto-currency exchange at a time. By early June, three South Korean exchanges were hit, along with various other, unknown victims, which the security researchers suggest might be crypto-currency service providers in South Korea.
“Add to that the ties between North Korean operators and a watering hole compromise of a Bitcoin news site in 2016, as well as at least one instance of usage of a surreptitious crypto-currency miner, and we begin to see a picture of North Korean interest in crypto-currencies, an asset class in which Bitcoin alone has increased over 400% since the beginning of this year,” FireEye notes.
Prior to these attacks, South Korean crypto-currency exchange Yapizon was compromised in April, but FireEye says that “at least some of the tactics, techniques, and procedures” reportedly employed during this incident were different, and there are no clear indications of North Korean involvement.
At the end of April, however, the United States announced a strategy of increased economic sanctions against North Korea, and the subsequent attacks on South Korean exchanges might be the result of this announcement. A July attack on Bithumb might also be the result of North Korea’s increased interest in Bitcoin, a report published last month revealed.
The targeting of Bitcoin and crypto-currency exchanges fits with the previously observed North Korean actors’ interest in conducting financial crime on the regime’s behalf. By compromising a crypto-currency exchange, the actors can move crypto-currencies out of online wallets, swap them for more anonymous ones, and even “send them directly to other wallets on different exchanges to withdraw them in fiat currencies such as South Korean won, US dollars, or Chinese renminbi,” FireEye notes.
“As the regulatory environment around cryptocurrencies is still emerging, some exchanges in different jurisdictions may have lax anti-money laundering controls easing this process and make the exchanges an attractive tactic for anyone seeking hard currency,” the researchers continue.
Nation states are starting to take notice of the potential presented by Bitcoin and other crypto-currencies, given their recent increase in value. Thus, this emerging asset class is becoming a “target of interest by a regime that operates in many ways like a criminal enterprise,” FireEye notes, adding that other rising cyber powers might follow a similar path.
“Cyber criminals may no longer be the only nefarious actors in this space,” the researchers conclude.
Just last night, the UN Security Council voted unanimously to adopt new sanctions on North Korea, including restrictions on oil shipments, banning import and export of textiles, and barring countries from issuing new work permits to North Koreans working abroad.