ltechnologygroup.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.
In 2016 we began observing actors we believe to be North Korean
utilizing their intrusion capabilities to conduct cyber crime,
targeting banks and the global financial system. This marked a
departure from previously observed activity of North Korean actors
employing cyber espionage for traditional nation state activities.
Yet, given North Korea’s position as a pariah nation cut off from much
of the global economy – as well as a nation that employs a government
bureau to conduct illicit
economic activity – this is not all that surprising. With North
Korea’s tight control of its military and intelligence capabilities,
it is likely that this activity was carried out to fund the state or
personal coffers of Pyongyang’s elite, as international sanctions have
constricted the Hermit Kingdom.
Now, we may be witnessing a second wave of this campaign:
state-sponsored actors seeking to steal bitcoin and other virtual
currencies as a means of evading sanctions and obtaining hard
currencies to fund the regime. Since May 2017, we have observed North
Korean actors target at least three South Korean cryptocurrency
exchanges with the suspected intent of stealing funds. The
spearphishing we have observed in these cases often targets personal
email accounts of employees at digital currency exchanges, frequently
using tax-themed lures and deploying malware (PEACHPIT
and similar variants) linked to North Korean actors suspected to be
responsible for intrusions into global banks in 2016.
Add to that the ties between North Korean operators and a watering
hole compromise of a bitcoin news site in 2016, as well as at least
one instance of usage of a surreptitious
cryptocurrency miner, and we begin to see a picture of North
Korean interest in cryptocurrencies, an asset class in which bitcoin
alone has increased over 400% since the beginning of this year.
2017 North Korean Activity Against South Korean Cryptocurrency Targets
- April 22 – Four
wallets on Yapizon, a South Korean cryptocurrency exchange,
are compromised. (It is worth noting that at least some of the
tactics, techniques, and procedures were reportedly employed during
this compromise were different than those we have observed in
following intrusion attempts and as of yet there are no clear
indications of North Korean involvement).
- April 26 – The
United States announces a strategy of increased economic sanctions
against North Korea. Sanctions from the international community
could be driving North Korean interest in cryptocurrency, as
- Early May – Spearphishing against South
Korean Exchange #1 begins.
- Late May – South Korean Exchange
#2 compromised via spearphish.
- Early June – More suspected
North Korean activity targeting unknown victims, believed to be
cryptocurrency service providers in South Korea.
- Early July
– South Korean Exchange #3 targeted via spear phishing to personal
Benefits to Targeting Cryptocurrencies
While bitcoin and cryptocurrency exchanges may seem like odd targets
for nation state actors interested in funding state coffers, some of
the other illicit endeavors North Korea pursues further demonstrate
interest in conducting financial crime on the regime’s behalf. North
Korea’s Office 39 is involved in activities such as gold smuggling,
counterfeiting foreign currency, and even operating restaurants.
Besides a focus on the global banking system and cryptocurrency
exchanges, a recent report by a South Korean institute noted
involvement by North Korean actors in targeting
ATMs with malware, likely actors at the very least supporting
If actors compromise an exchange itself (as opposed to an individual
account or wallet) they potentially can move cryptocurrencies out of
online wallets, swapping them for other, more anonymous
cryptocurrencies or send them directly to other wallets on different
exchanges to withdraw them in fiat currencies such as South Korean
won, US dollars, or Chinese renminbi. As the regulatory environment
around cryptocurrencies is still emerging, some exchanges in different
jurisdictions may have lax anti-money laundering controls easing this
process and make the exchanges an attractive tactic for anyone seeking
As bitcoin and other cryptocurrencies have increased in value in the
last year, nation states are beginning to take notice. Recently, an
advisor to President Putin in Russia announced plans
to raise funds to increase Russia’s share of bitcoin mining, and
senators in Australia’s parliament have proposed developing their own
Consequently, it should be no surprise that cryptocurrencies, as an
emerging asset class, are becoming a target of interest by a regime
that operates in many ways like a criminal enterprise. While at
present North Korea is somewhat distinctive in both their willingness
to engage in financial crime and their possession of cyber espionage
capabilities, the uniqueness of this combination will likely not last
long-term as rising cyber powers may see similar potential. Cyber
criminals may no longer be the only nefarious actors in this space.
At L Technology Group, we know technology alone will not protect us from the risks associated with in cyberspace. Hackers, Nation States like Russia and China along with “Bob” in HR opening that email, are all real threats to your organization. Defending against these threats requires a new strategy that incorporates not only technology, but also intelligent personnel who, eats and breaths cybersecurity. Together with proven processes and techniques combines for an advanced next-generation security solution. Since 2008 L Technology Group has develop people, processes and technology to combat the ever changing threat landscape that businesses face day to day.
Call Toll Free (855) 999-6425 for a FREE Consultation from L Technology Group, https://www.ltechnologygroup.com.