The Lazarus Group, a cybercrime gang with links to the North Korean government, has been targeting Bitcoin industry insiders in an effort to steal their credentials (and, presumably, their Bitcoin).
According to the Secureworks Counter Threat Unit (CTU), a targeted spearfishing email campaign to employees of a London cryptocurrency company is making the rounds, purporting to discuss a job opening for a CFO. The supposed attached job listing in fact installs a remote access trojan (RAT), allows the attackers to download more malware, take control of a victim’s device and steal data, including network credentials.
Lazarus, one hacking arm of the North Korean regime, is thought to be behind the Wannacry ransomware campaign, the $81 million Bangladesh central bank heist, as well as the infamous 2014 attack on Sony Pictures. Meanwhile, Recorded Future recently said that North Korean threat actors have begun amassing experience procuring cryptocurrency both legally and illegally, including, likely, recent intrusions into several Bitcoin exchanges in South Korea.
“North Korean threat actors have been conducting cyber-operations to generate funds for the Kim regime likely since at least 2015, but appear to have become interested in Bitcoin and cryptocurrency only over the past six months,” Recorded Future said.
The firm’s analysis discovered in May that users in North Korea had begun to mine Bitcoin. Before then, there had been virtually no activity to Bitcoin-related sites or nodes, or utilizing Bitcoin-specific ports or protocols. Beginning on May 17, that activity increased exponentially, from nothing to hundreds per day.
Given the fact that Bitcoin prices have continued to rise, North Korea’s interest in cryptocurrency is unsurprising. The virtual currency topped $17,500 to the dollar on Friday.
“Cyber-criminals are increasingly looking to monetize their efforts, and with the recent increase in Bitcoin valuation it’s not surprising that they’re after such targets, especially since phishing campaigns are increasingly able to bypass legacy email filters and gateways,” Eyal Benishti, founder and CEO of IRONSCALES, told Infosecurity via email.