Since May 2017, FireEye has observed North Korean actors target at least three South Korean cryptocurrency exchanges with the suspected intent of stealing funds.
This is believed to be the ‘second wave’ from a 2016 campaign, when FireEye began observing actors it believed to be North Korean utilising their intrusion capabilities to conduct cyber crime, targeting banks and the global financial system.
He wrote that FireEye began observing actors in 2016, which it believed was North Korea ‘utilising their intrusion capabilities to conduct cyber crime, targeting banks and the global financial system. This marked a departure from previously observed activity of North Korean actors employing cyber espionage for traditional nation state activities.’
‘Yet, given North Korea’s position as a pariah nation cut off from much of the global economy – as well as a nation that employs a government bureau to conduct illicit economic activity – this is not all that surprising. With North Korea’s tight control of it’s military and intelligence capabilities It is likely that this activity was carried out to fund the state or personal coffers of Pyongyang’s elite, as international sanctions have constricted the Hermit Kingdom.’
As mentioned, FireEye now believe that North Korea has currently implemented the second wave of this campaign: ‘state-sponsored actors seeking to steal bitcoin and other virtual currencies as a means of evading sanctions and obtaining hard currencies to fund the regime’.
Since May 2017, the research suggests that the involved North Korean actors have targeted at least three South Korean cryptocurrency exchanges with the presumed intent of stealing funds.
‘The spearphishing we have observed in these cases often targets personal email accounts of employees at digital currency exchanges, frequently using tax-themed lures and deploying malware (PEACHPIT and similar variants) linked to North Korean actors suspected to be responsible for intrusions into global banks in 2016.’
‘Add to that the ties between North Korean operators and a watering hole compromise of a bitcoin news site in 2016, as well as at least one instance of usage of a surreptitious cryptocurrency miner, and we begin to see a picture of North Korean interest in cryptocurrencies, an asset class in which bitcoin alone has increased over 400% since the beginning of this year.’
2017 North Korean activity against South Korean cryptocurrency targets – FireEye
April 22 – Four wallets on Yapizon, a South Korean cryptocurrency exchange, are compromised. (It is worth noting that at least some of the tactics, techniques, and procedures were reportedly employed during this compromise were different than those we have observed in following intrusion attempts and as of yet there are no clear indications of North Korean involvement).
April 26 – The United States announces a strategy of increased economic sanctions against North Korea. Sanctions from the international community could be driving North Korean interest in cryptocurrency, as discussed earlier.
>See also: The best Bitcoin apps
Early May – Spearphishing against South Korean Exchange #1 begins.
Late May – South Korean Exchange #2 compromised via spearphish.
Early June – More suspected North Korean activity targeting unknown victims, believed to be cryptocurrency service providers in South Korea.
Early July – South Korean Exchange #3 targeted via spear phishing to personal account.
Benefits to targeting cryptocurrencies?
The research suggests that targeting Bitcoin and cryptocurrency exchanges might seem like odd targets for a nation state, which is interesting in funding ‘state coffers’ through multiple illicit activities for the continued prosperity of the Kim regime.
‘North Korea’s Office 39 is involved in activities such as gold smuggling, counterfeiting foreign currency, and even operating restaurants. Besides a focus on the global banking system and cryptocurrency exchanges, a recent report by a South Korean institute noted involvement by North Korean actors in targeting ATMs with malware, likely actors at the very least supporting similar ends.’
>See also: What is bitcoin?
‘If actors compromise an exchange itself (as opposed to an individual account or wallet) they potentially can move cryptocurrencies out of online wallets, swapping them for other, more anonymous cryptocurrencies or send them directly to other wallets on different exchanges to withdraw them in fiat currencies such as South Korean won, US dollars, or Chinese renminbi. As the regulatory environment around cryptocurrencies is still emerging, some exchanges in different jurisdictions may have lax anti-money laundering controls easing this process and make the exchanges an attractive tactic for anyone seeking hard currency.’
The fact that Bitcoin and other cryptocurrencies, like Ethereum, have surged in the last year means that nation states are starting to pay more attention to this space – suggests FireEye’s report.
‘Recently, an advisor to President Putin in Russia announced plans to raise funds to increase Russia’s share of bitcoin mining, and senators in Australia’s parliament have proposed developing their own national cryptocurrency.’
‘Consequently,’ concluded McNamara, ‘it should be no surprise that cryptocurrencies, as an emerging asset class, are becoming a target of interest by a regime that operates in many ways like a criminal enterprise. While at present North Korea is somewhat distinctive in both their willingness to engage in financial crime and their possession of cyber espionage capabilities, the uniqueness of this combination will likely not last long-term as rising cyber powers may see similar potential. Cyber criminals may no longer be the only nefarious actors in this space.’