Broadening their criminal repertoire, North Korean hackers are seeking to loot exchange platforms for bitcoins and other digital currencies, a researcher for the cybersecurity firm FireEye says.
Luke McNamara, a senior cyberthreat intelligence analyst with the Milpitas, California, firm, said the hackers targeted three bitcoin exchanges in South Korea between May and July.
“We know that at least one of the intrusion attempts was successful,” McNamara said.
After studying the social media accounts of employees at the exchanges, the hackers sent emails containing malicious code disguised as queries about tax and regulatory matters of deep concern in the cryptocurrency world, McNamara said.
Embedded in the emails was a unique “backdoor” tool favored by hackers and written in code that McNamara said is “exclusively used by North Korean actors.” The malicious tool allowed the hackers to examine infected networks, drop further malware inside and begin to move bitcoins to accounts at platforms in other countries, he added.
FireEye has named the Remote Access Trojan used by the North Korean hackers “PeachPit,” and said it is a variant of malware deployed by North Korea in 2016 hacks on several banks worldwide.
In at least one of the digital currency platform hacks, McNamara said, “We were able to actually observe the code being used.”
McNamara declined to name the exchange platforms that were targeted but said one was among “the top three exchanges in South Korea,” which would mean it was handling hundreds of millions of dollars in transactions a day.
News reports from South Korea in early July said Bithumb, the largest digital currency exchange by volume in the nation, suffered a breach and saw data on 30,000 customers compromised. The quasi-governmental Yonhap news agency reported that some customers “claimed they suffered financial damage.” The extent of the losses was not divulged.
Bithumb handled transactions for both bitcoin and ethereum, a competing digital currency. The two soared in value earlier this year before pulling back some of their gains.
Conducting financial crime abroad on North Korea’s behalf “does fit in their pattern,” said Leo Taddeo, a former FBI cyber expert who is chief information security officer for Cyxtera Technologies, which operates data centers and offers techniques to guard against penetration at network perimeters.
“They make some of the best counterfeit notes out there,” Taddeo said. “They need cash. They are not opposed to smuggling and other criminal activity to get cash.”
Several cybersecurity research firms blamed North Korea for plundering $81 million from the central bank of Bangladesh in 2016.
U.S. officials blamed North Korea for the crippling 2014 hack of Sony Pictures in which confidential emails were taken and released, embarrassing the studio and delaying the release of The Interview, a spoof about journalists plotting to assassinate leader Kim Jong-un.
Researchers for several cybersecurity firms have also linked North Korean hackers to the global ransomware attack in May known as WannaCry, saying it was the work of a hacker unit known as the Lazarus Group. The attack infected more than 300,000 computers in 150 nations.
As North Korea endures international sanctions for its nuclear program, Lazarus Group, and subgroups that researchers dub Andariel and BlueNoroff, have turned to cybercrime to raise cash, including targeting ATMs and using stolen credit card information and stealing banking data, according to a July report by South Korea’s state-backed Financial Security Institute.
Correction: An earlier version of this story reported that certain malware, called "Peachpit" by the cybersecurity firm FireEye, was used to hack the Bangladeshi central bank in 2016. A different type of malware was used in that heist.