North Korea pursues cryptocurrency exchanges in South Korea

Why cryptocurrency exchanges and users in other countries should be aware of an increased threat from North Korean actors over the coming year

This is a contributed piece by Priscilla Moriuchi, Director of Strategic Threat Development at Recorded Future

In his 2018 New Year’s speech, Kim Jong Un acknowledged that the international sanctions and pressure were having an impact on North Korea’s economy. He called the sanctions “vicious” and vowed to increase North Korea’s independence from the global financial system.

Likely in response to this increasing economic pressure, we have seen a wave of attacks targeting cryptocurrency exchanges and users since early 2017. This campaign continues a theme in the North’s cyber operations focusing on utilizing cryptocurrencies to generate revenue for the Kim regime, which ranges from mining to ransomware and outright theft.

The latest major operation discovered by Recorded Future was a spear phishing campaign launched in late 2017 which leveraged four different lures to trick victims into installing malware which exploited the popular word processing program Hangul Word Processor (.hwp file extension). Once deployed, the malware would steal information about the victim system and exfiltrate files.

Compute power from many organizations is being slyly diverted into cryptocurrency mining. Find out: Why cryptojacking is an overlooked security threat

The TTPs (tactics, techniques and procedures) in this campaign are consistent with well-known and researched Lazarus Group operations – widely attributed to the North Korean government. The group is most well-known for the 2014 attack on Sony Pictures Entertainment but has been linked to a number of attacks over the last few years.


To continue reading this article register now