North Korean Hackers Continue Assault on Digital Assets

While Iranian state hackers have conducted ransomware attacks and crypto mining, and Russia is understood to use private ransomware groups in some capacities, the North Korean government is the only major adversary to include financial cybercrime in its offensive activities as a core objective.

North Korea's cybercrime program is hydra-headed, with tactics ranging from bank heists to ransomware deployment to stealing cryptocurrency from online exchanges.

Dubbed Lazarus, Kimsuky, and BeagleBoyz, North Korean hackers employ ever-more-sophisticated tools to penetrate military, government, corporate, and defense-industry networks worldwide, conducting cyber espionage and exfiltrating classified data in order to assist in the development of North Korean weapons.

The malicious actors fooled individuals to provide access or compromised security to drain digital funds from Internet-connected wallets to addresses controlled by North Korea. The sanctions-stricken nation has turned to elaborate ways of laundering stolen crypto, doubling down on the use of software tools that aggregate and scramble cryptocurrency from thousands of addresses.

Last year, the United States Department of Justice charged three North Korean computer programmers for participating in a wide-ranging criminal conspiracy to conduct a series of destructive cyberattacks to steal and extort more than $1.3 billion of money and cryptocurrency from financial institutions and companies, to create and deploy multiple malicious cryptocurrency applications, and to develop and fraudulently market a blockchain platform.

In fact, North Korea's attack on crypto is ever going, having amassed over a billion since the last bull market.

$1.2 Bln Stolen Since 2017

Last week, South Korea's National Intelligence Service (NIS) published a new report noting that North Korean hackers have stolen an estimated 1.5 trillion won ($1.2 billion) in cryptocurrency in the past five years. And more than half of this amount has been this year alone, and a mere $78 million of this vast sum came from South Korea.

According to South Korea's spy agency, more than 800 billion Korean won ($620 million) worth of cryptocurrencies were stolen just this year. Speaking on the matter, a NIS spokesperson said this entire hack occurred overseas, adding, “In Korea, virtual asset transactions have been switched to real-name transactions, and security has been strengthened, so there is no damage.”

For those that do not know about this development, in 2021, the South Korean government implemented new rules around KYC (know-your-customer) for crypto trading. It mandates that all crypto exchanges in the country must require their clients to create a real-name account with the same bank they use to deposit or withdraw their funds.

And both the exchange and the bank are then required to verify the client's identity. On top of that, exchanges must obtain a license from the Financial Services Commission (FSC) before commencing operations.

North Korean hacker groups have been linked to several large-scale crypto breaches this year — including the $100 million Harmony attack. Experts suggest these attacks are a way for the nation to generate foreign currency reserves, as they face strict commercial sanctions from the international community.

According to the NIS, North Korea has some of the world's best digital asset theft capabilities. This is due to the country's focus on cybercrime since 2017 when UN economic sanctions were toughened in response to its nuclear and missile tests.

The agency also warned that North Korean cyberattacks would intensify next year: “It is necessary to analyze attacks as closely as defenses. Because one hacker organization has all the attack information and does not forget it. It is necessary to gather information related to malicious code scattered by various attackers to find meaningful insights.”

Hackers from North Korea employ the usual tactics used by other nation-state hacking groups and cybercriminals, including social engineering, phishing, and software exploits.

Testing New Malware Delivery Methods

The BlueNoroff subgroup of Lazarus is known to deploy a diverse arsenal of malware in multi-pronged attacks against businesses to obtain funds illicitly. It includes a combination of sophisticated phishing tactics and malware to launder funds.

According to cybersecurity lab Kaspersky's report this week, BlueNoroff has renewed its targeting of venture capital firms, crypto startups, and banks after being quiet for most of the year. The group is now showing a spike in activity.

BlueNoroff has created over 70 fake domains designed to look like VC firms. Most fakes represent themselves as well-known Japanese companies, while others have assumed the identity of US and Vietnamese companies.

According to a recent report, the group has been experimenting with new file types and other malware delivery methods. Once in place, its malware can evade Windows Mark-of-the-Web (MoTW) security warnings about downloading content. It then goes on to “intercept large cryptocurrency transfers, changing the recipient's address, and pushing the transfer amount to the limit, essentially draining the account in a single transaction.”

As cyber threats worsen, businesses must be more vigilant than ever to protect themselves. This is according to Seongsu Park, a researcher at Kaspersky, who warns that “the coming year will be marked by the cyber epidemics with the biggest impact, the strength of which has never been seen before.”

Operators associated with the Lazarus BlueNoroff sub-group have been linked to several cyberattacks targeting small to mid-sized businesses worldwide. Even NFTs aren't off the hacking group's radar, as North Korean threat actors associated with the Lazarus Group have been trying to steal non-fungible tokens over the past few weeks.

NFT Thefts via Phishing

Blockchain security firm SlowMist released a report late last week that took a deep dive into the large-scale phishing activities carried out by North Korean APT groups targeting NFT users.

SlowMist found that one of the techniques used in a recent phishing attack involved creating fake NFT-related decoy websites with malicious Mints. These NFTs were then sold on popular platforms like OpenSea, Rarible, and X2Y2.

The Advanced Persistent Threat (APT) group was identified as TraderTraitor by the U.S. government at least as early as 2020, and it targeted Crypto and NFT users with a phishing campaign using as much as 500 different domain names.

The unique phishing traits commonly used by these hackers involved Phishing websites recording visitor data and saving it to external sites, requesting an NFT item price list, and a file “imgSrc.js” linking images to the target project.

Upon analysis of Phishing methods, SlowMist further found that the hackers utilized multiple tokens, such as WETH, USDC, DAI, and UNI, etc., in their phishing attacks.

Largest Attack on Ronin

Earlier this year, Lazarus Group also managed to siphon more than $600 million worth of cryptocurrency off the Ronin blockchain used by the NFT game Axie Infinity. Blockchain analytics company Chainalysis called the attack the largest cryptocurrency hack yet.

Created by a Vietnamese gaming studio, Axie Infinity had more than a million active players at one point. And earlier this year, the blockchain that underpins the game's virtual world was raided by a North Korean hacking syndicate, which made off with roughly $620mn in Ethereum.

Only about $30mn of the crypto loot has since been recovered after an alliance of law enforcement agencies and crypto analysis companies traced some of the stolen funds through a series of DEXs and “crypto mixers,” a service that blends the cryptocurrencies of many users together to obfuscate the owners and origins of the funds.

The US has since sanctioned the Tornado Cash mixer, which the US Treasury said had been used by the hackers to launder more than $450mn of their Ethereum haul.

Crypto Investment Startups Targeted Too

Amidst all these attacks, Microsoft announced earlier this month that it had identified a threat actor targeting cryptocurrency investment startups. The group, which Microsoft has dubbed DEV-0139, poses as a cryptocurrency investment company on Telegram and uses a weaponized Excel file to infect systems it remotely accesses.

The threat showed a high level of sophistication which falsely identified itself with fake profiles of OKX employees and joined Telegram groups “used to facilitate communication between VIP clients and cryptocurrency exchange platforms,” Microsoft wrote.

We are seeing an uptick in sophisticated attacks where the threat actor is very knowledgeable and has taken the time to prepare, often by building trust with their target before deploying payloads, it further noted.

For example, a couple of months back, a target was invited to join a group and asked for feedback on an Excel document that compared the VIP fee structures of crypto exchanges HTX, Binance, and OKX. The document provided accurate information and high awareness of cryptocurrency trading, but it also invisibly sideloaded a malicious .dll (Dynamic Link Library) file to create a backdoor into the user's system. The target was then asked to open the malicious file themselves during the discussion.

Microsoft suggested that DEV-0139 is the same actor that cybersecurity firm Volexity linked to Lazarus Group, using a variant of AppleJeus malware and a Microsoft installer (MSI).

In 2021, the AppleJeus was documented by the United States federal Cybersecurity and Infrastructure Security Agency.

A Continued Rise in Crypto Attacks

There has actually been a recent increase in the size of cryptocurrency attacks carried out by the North Korean government, as per Chainalysis.

The Lazarus Group was linked to seven attacks on cryptocurrency platforms, which netted almost $400 million in digital assets in 2021 alone, compared with $300 million in 2020, according to a report by the blockchain analytics firm.

In one of its most successful years on record, the number of North Korean-linked hacks jumped from four to seven in 2021, while the value extracted from these hacks grew by 40%.

According to the report, once North Korea gained custody of the funds, they immediately began a careful process of laundering the money in order to cash it out without detection.

Although Chainalysis did not identify all targets of the cryptocurrency hacks, they said that they were mainly investment firms and centralized exchanges. Moreover, one of these exchanges, Liquid.com, announced in August that an unauthorized user had gained access to some of its cryptocurrency wallets.

According to Chainalysis, the attackers used phishing lures, malware, code exploits, and advanced social engineering to siphon funds from these organizations' “hot” wallets into North Korea-controlled addresses.

The report further said that researchers had identified $170m in old, unlaundered cryptocurrency holdings from 49 separate hacks spanning from 2017 to 2021, suggesting a careful plan to cash it all out, and “not a desperate and hasty one.”

Final Note

Hackers are expected to continue exploiting the vulnerabilities of cryptocurrency tech companies, gaming companies, and exchanges to generate and launder funds in support of the North Korean regime.

It goes without saying that this is a serious issue, as North Korea has been known to use cyber attacks to steal funds to support its nuclear weapons program. This highlights the importance of cybersecurity, especially for businesses and organizations that state-sponsored hackers may target.

While the North Korean government has denied involvement in such activities, the evidence suggests that the hackers operate with the regime's blessing. Given this continued threat posed by North Korean hackers, businesses and individuals should remain vigilant and take steps to protect their digital assets.