Lazarus: North Korean hackers linked to Sony hack were behind cryptocurrency attacks in South Korea
"This late 2017 campaign is a continuation of North Korea's interest in cryptocurrency," researchers said.
(This article has been updated with comment from cryptocurrency exchange Coinlink refuting Recorded Future's report)
Notorious North Korean hacking outfit Lazarus Group was behind cyberattacks that targeted South Korean cryptocurrency exchanges and users towards the end of 2017, security researchers have found.
Believed to be linked to the Pyongyang regime, Lazarus has been tied to the major 2014 Sony Pictures Entertainment hack that cost the studio millions of dollars and the WannaCry ransomware attack that wreaked havoc worldwide last year.
According to cybersecurity firm Recorded Future, the hacking group launched a spear-phishing campaign targeting several cryptocurrency exchanges such as Coinlink, its users and South Korean college students interested in foreign affairs.
However, Coinlink told IBTimes UK that it was not targeted by hackers and that its users' emails and passwords have not been compromised.
"After contacting our security company, there are no real attempts to attack our site from North Korea. Also, email and passwords have not been hacked," a representative for Coinlink said via email.
Recorded Future researchers said the campaign was launched in the weeks leading up to North Korean dictator, Kim Jong-un's, New Year speech and subsequent dialogue between the two Koreas.
In this campaign, hackers used four different lures to deploy malware that uses a known Ghostscript exploit, dubbed CVE-2017-8291, designed to target users of the popular Korean language word processor, Hancom's Hangul Word Processor.
"The campaign we discovered showcases a clear use of Lazarus TTPs to target cryptocurrency exchanges and social institutions in South Korea," researchers reported. State-sponsored North Korean threat actors have been known to use Hangul exploits and malware-laced .hwp files in the past when targeting South Korean users, they noted.
The four lures included a crypto-themed one designed to steal the emails and passwords of Coinlink users and two others that appeared to be stolen resumes from actual South Korean computer scientists with experience at cryptocurrency exchanges.
The fourth document was lifted from a blog run by the "Friends of MOFA [ministry of foreign affairs]" group, which detailed a recent September 2017 event that featured South Korean President Moon Jae-in.
"Upon deobfuscating the payloads, we found 32-bit DLLs built in part on the Destover malware code," researchers said. "Destover has been used in a number of North Korea-attributed operations: most infamously against Sony Pictures Entertainment in 2014, the Polish banking attacks in January 2017, and the first WannaCry victim in February 2017."
Researchers said they observed similarities in the malware code that pointed to the Lazarus Group.
"Lazarus malware families overlap, likely as the result of the developers cutting-and-splicing an extensive codebase of malicious functionality to generate payloads as needed," they reported. This erratic composition make the Lazarus intrusion malware difficult to identify and group or cluster, unless they are analysed at the level of code similarity."
The infamous Hidden Cobra's activities
Also known as Hidden Cobra in the US, Lazarus Group has been responsible for several cyberattacks spanning back to 2009, including DDoS attacks, cyberactivities involving financial organisations and government agencies in the US and South Korea, massive attacks on South Korean banking and media sectors in 2013 as well as the high-profile Sony hack in 2014.
The group is also believed to be behind the devastating WannaCry attacks that crippled businesses and institutions across the globe in 2017.
In recent years, North Korean hackers have shifted focus toward financial institutions to steal and generate funds for the government to get around international sanctions and trade restrictions. In 2017, with the growing popularity, interest and value of cryptocurrency, it began targeting cryptocurrency.
"This late 2017 campaign is a continuation of North Korea's interest in cryptocurrency, which we now know encompasses a broad range of activities including mining, ransomware, and outright theft", researchers pointed out.
Several cryptocurrency exchanges were targeted by hackers last year including Bithumb, Youbit, and Yapizon, who lost millions in dollars worth of cryptocurrency in those attacks. While most of the recent cryptocurrency attacks have primarily targeted South Korean exchanges and users, researchers expect this trend to change in 2018 as the group expands its targets.
"We assess that as South Korea responds to these attempted thefts by increasing security (and possibly banning cryptocurrency trading) they will become harder targets, forcing North Korean actors to look to exchanges and users in other countries as well," researchers added.
"As South Korean exchanges harden their networks and the government imposes stricter regulatory controls on cryptocurrencies, exchanges and users in other countries should be aware of the increased threat level from North Korean actors."