North Korean state hackers are increasingly looking to steal crypto-currency to fund the regime and circumvent tightening sanctions, according to FireEye.
The security vendor’s senior cyber threat intelligence analyst, Luke McNamara, revealed a spike in spear-phishing attacks targeting South Korean Bitcoin exchanges since May.
The timing is important because April saw the US announce increased economic sanctions against North Korea.
“The spear-phishing we have observed in these cases often targets personal email accounts of employees at digital currency exchanges, frequently using tax-themed lures and deploying malware (PEACHPIT and similar variants) linked to North Korean actors suspected to be responsible for intrusions into global banks in 2016”, he explained.
Those raids are thought to have been the work of sophisticated North Korean state group Lazarus.
“Add to that the ties between North Korean operators and a watering hole compromise of a bitcoin news site in 2016, as well as at least one instance of usage of a surreptitious cryptocurrency miner, and we begin to see a picture of North Korean interest in cryptocurrencies, an asset class in which bitcoin alone has increased over 400% since the beginning of this year”, said McNamara.
By compromising an exchange, the attackers could steal cryptocurrencies from online wallets, swap them for more anonymous digital currencies or send the funds to wallets on different exchanges to withdraw as fiat currencies.
The latter tactic takes advantage of the fact that, in some countries, anti-money laundering rules around online currencies may be relatively lax, McNamara argued.
The news comes as Kaspersky Lab revealed a huge increase in the number of computers attacked with malware designed to conscript them into a botnet and silently install cryptocurrency mining software.
Hackers are using two armies of botnet controlled machines to mine Bitcoins and the like, with the Russian AV vendor observing criminals making off with more than £151,538 ($200,000) from a botnet of just 5000 PCs.
In 2013 Kaspersky Lab protected around 205,000 users globally targeted by this type of threat. In 2014 the number jumped to 701,000, and it has more than doubled again in the first eight months of 2017 to reach 1.65 million.
“The major problem with malicious miners is that it is really hard to reliably detect such activity, because the malware is using completely legitimate mining software, which in a normal situation could also be installed by a legitimate user,” argued Evgeny Lopatin, malware analyst at Kaspersky Lab.
“Another alarming thing which we have identified while observing these two new botnets, is that the malicious miners are themselves becoming valuable on the underground market. We’ve seen criminals offering so-called miner builders: software which allows anyone who is willing to pay for full version, to create their own mining botnet. This means that the botnets we’ve recently identified are certainly not the last ones.”