Recorded Future, a US cybersecurity has just launched a report that has linked the North Korean hacking group Lazarus to numerous security breaches and cryptocurrency exchange cyber attacks in South Korea. Identical malware that was utilized during the Sony Pictures security breach set its aim on the South Korea-based cryptocurrency exchange Coinlink.
Lazarus Group’s most successful tactic comes via the dispersal of Hangul Word Processors (the South Korean equivalent of Microsoft Word) through email. If any cryptocurrency users were to download the attachments, the malware would instantly and autonomously install itself and begin operating unnoticed. It would then take hold and manipulate any data stored on the device.
Using this tactic, North Korea managed to breach Bithumb’s security and nab $7 million. Researchers from the Insikt Group wrote, “By 2017, North Korean actors had jumped on the cryptocurrency bandwagon. The first known North Korean cryptocurrency operation occurred in February 2017, with the theft of $7 mln (at the time) in cryptocurrency from South Korean exchange Bithumb. By the end of 2017, several researchers had reported additional spear phishing campaigns against South Korean cryptocurrency exchanges, numerous successful thefts, and even Bitcoin and Monero mining,”
Recorded Future weren’t the first ones to point an accusing finger at North Korea for hacks aimed at South Korea’s cryptocurrency trading platforms. FireEye researchers have linked six major hacks against South Korea to North Korean state-financed hackers. One of their attacks led to the bankruptcy of Youbit, a North Korean trading platform.
“This is an adversary that we have been watching become increasingly capable and also brazen in terms of the targets that they are willing to go after. This is really just one prong in a larger strategy that they seem to be employing since at least 2016, where they have been using capability that has been primarily used for espionage to actually steal funds.”