North Korean hackers could be stealing bitcoin to fund regime

FireEye believes North Korea's interest in cryptocurrency is driven by international sanctions

North Korean hackers may be stealing bitcoin and other virtual currencies in a bid to evade sanctions and obtain hard currencies to fund the regime.

That's according to a blog post by security firm FireEye. State-sponsored North Korean cyber-criminals have been targeting banks and the global financial system for some time in order to fund the isolated state, or perhaps just the "personal coffers of Pyongyang's elite", as international sanctions have restricted the country's economic activity. But FireEye believes that hackers are now attempting to steal virtual currencies too. Since May 2017 FireEye says it has observed North Korean actors target at least three South Korean cryptocurrency exchanges with the suspected intent of stealing funds.

"The spearphishing we have observed in these cases often targets personal email accounts of employees at digital currency exchanges, frequently using tax-themed lures and deploying malware (PEACHPIT and similar variants) linked to North Korean actors suspected to be responsible for intrusions into global banks in 2016," it said.

FireEye suggested that the attacks were not the only link between North Korea and cryptocurrencies. It said there were also "ties between North Korean operators and a watering hole compromise of a bitcoin news site in 2016, as well as at least one instance of usage of a surreptitious cryptocurrency miner" - which references Kaspersky Lab's finding of a direct link between the Lazarus group banking heist hackers, whereby hackers installed Monero cryptocurrency mining software, and North Korea.

According to FireEye, spearphishing attempts against one South Korean exchange began early in May, and later in that month another exchange in South Korea was compromised via spearphishing. In early June, more suspected North Korean activity targeting ‘unknown victims' - which FireEye believes are cryptocurrency service providers in South Korea - was reported, and in July a third South Korean exchange was targeted, once again through spearphishing a personal account.

Prior to this activity four wallets on Yapizon, a South Korean cryptocurrency exchange were compromised on April 22 - although FireEye says there is no indication of North Korea involvement with this.

The cyber security firm believes that the April 26 announcement by the US of increased economic sanctions against North Korea may have played a part in driving North Korean interest in cryptocurrency. By focusing on cryptocurrencies, attackers may benefit from lax anti-money laundering controls as the regulatory environment around these currencies is still emerging.

"While at present North Korea is somewhat distinctive in both their willingness to engage in financial crime and their possession of cyber espionage capabilities, the uniqueness of this combination will likely not last long-term as rising cyber powers may see similar potential," FireEye said.

"Cyber criminals may no longer be the only nefarious actors in this space," it concluded.