North Korean hacking group Lazarus targeting bitcoin and point-of-sale infrastructure in dash for cash

North Korea's Lazarus Group following the money, warns Proofpoint

Researchers at cyber security firm Proofpoint have found that North Korean cyber crooks are increasingly launching cyber attacks on individuals and corporations globally.

These attackers, who work for the North Korea-sponsored Lazarus Group, is increasing the number of "sophisticated" and "targeted" attacks it's conducting worldwide.

The hacking group is widely thought to be behind WannaCry, a ransomware attack that affected more than 200,000 people and 300,000 computers.

According to the security specialists, many of the crime organisation's attacks have targeted individuals rather than just corporations.

Looking to make big bucks, the attackers have targeted cryptocurrencies such as Bitcoin and point-of-sale-infrastructure for financial gain.

Proofpoint claims that Lazarus the is the "first publicly documented instance of a state-sponsored actor attacking point-of-sale infrastructure for financial gain"

The company has been documenting the custom-built tools and procedures the group has been using to conduct these attacks, specifically cryptocurrency theft.

Patrick Wheeler, director of threat intelligence at Proofpoint, has been leading the research into the group's activities. He said the hackers have had a "destructive" and "costly" effect on targets.

"The Lazarus Group is a sophisticated, state-sponsored APT group with a long history of successful destructive, disruptive, and costly attacks on worldwide targets," he said.

He explained that these organisations tend to initiate cyber attacks for espionage and terrorism crimes, but Lazarus is different in that it's only interested in making money.

"State-sponsored groups are generally focused on espionage and disruption. However, our findings on their recent activities relate to the financially motivated arm of Lazarus, the operations of which are peculiar to the North Korean group," he said.

"These actions, including the targeting of cryptocurrency exchange credentials and point-of-sale infrastructure, are significant for a number of reasons."

Wheeler said Lazarus has developed a range of custom tools to launch its attacks. "Cryptocurrencies are nothing new to threat actors, state-sponsored or otherwise. However, in this case we were able to extensively document the custom-built tools and procedures that Lazarus group is using to perform cryptocurrency theft," he said.

Lazarus is attracted to targets that lack "resources and knowledge to defend themselves and providing new avenues of monetization for a state-sponsored threat actor's toolkit".

Wheeler added: "Bringing the tools and resources of a state-sponsored attack group to bear against individuals and infrastructure used by large numbers of private citizens raises the stakes considerably when assessing potential impact.

"We were able to differentiate the actions of the financially motivated team within Lazarus from those of their espionage and disruption groups that have recently grabbed headlines, providing better insight into their operations and the worldwide threat represented by Lazarus."