North Korean Hackers Have Stolen Crypto Worth US$1.72 Billion
Cyberattacks by North Korea Experts in South Korean Policy Crypto Worth US$1.72 Billion
A North Korean state-sponsored APT group targeted nearly 900 South Korean foreign policy experts, stealing their personal information and carrying out ransomware attacks. The South Korean National Police Agency stated that the attackers used a phishing campaign to trick the victims into revealing their data.
Individuals targeted primarily had backgrounds in diplomacy, defense, and security, working toward Korean unification. According to police, at least 49 recipients fell victim to the phishing scam. The latest campaign is being blamed on North Korean advanced persistent threat actor Kimsuky, the same group that is suspected of hacking Korea Hydro and Nuclear Power in 2014. This APT has a history of targeting think tanks and journalists all over the world. Kimsuky, also known as Thallium, Black Banshee, and Velvet Chollima, is a state-sponsored APT that has been active since 2012. North Korea allegedly uses the APT to gather intelligence on Korean Peninsula foreign policy and national security issues, and espionage has been its primary motivation until now.
This is the first time they have seen ransomware malware and a subsequent ransom demand in exchange for unencrypted data. A ransomware variant infected 19 servers operated by 13 companies, and two of these companies paid a ransom of 2.5 million won (US$1,980) in bitcoin to the group. In 2020, the US government warned that Kimsuky had also been active in the US and Japan. The threat actor sent spear-phishing emails from multiple accounts impersonating government officials in the latest campaign. Among those targeted in April were a reporter from the 20th Presidential Transition Committee, a secretary from the ruling People Power Party’s office of Tae Yong-ho in May, and an official from the Korean National Diplomatic Academy in October.
All emails contained a link to a bogus website or an attachment containing malware. Threat actors used IP addresses from hacked servers to avoid being tracked. The attackers took control of 326 servers in 26 countries, 87 of which belonged to Korean organizations. Proofpoint cybersecurity researchers observed a significant increase in Kimsuky APT cyber espionage operations in 2021. The group targeted diplomats and policy experts in Asia, the United Kingdom, and the United States. In 2022, the APT group released Android malware designed to target South Korean users by disguising malicious apps as legitimate ones such as a Google security plug-in and a document viewer.
Police expect North Korean hackers to continue their activities in the future and have urged citizens to protect their email accounts and other critical infrastructure. The National Intelligence Service also predicted that North Korea’s cyber offensive would continue next year in a press conference on December 22. In predicting potential threats to the country’s cybersecurity in 2023, Baek Jong-Wook, deputy director of the NIS, stated that state-backed hackers from North Korea and China will continue to target South Korea to steal intellectual property.
The South Korean sectors of the nuclear industry, space, semiconductors, national defense, and joint strategies with the US are likely on the radar. In November, South Korea faced an average of 1.18 million attempted cyberattacks per day from hackers worldwide. North Korean hackers are known to infiltrate virtual assets such as digital coins and cryptocurrencies, according to Jong-Wook. He believes they have stolen nearly US$1.72 billion in cryptocurrency worldwide since 2017. SlowMist, a blockchain security firm, revealed this week that North Korean attackers are impersonating popular non-fungible token platforms and decentralized finance marketplaces via phishing websites to steal digital assets worth thousands of dollars.