The Lazarus Group is targeting cryptocurrency users, according to various figures in the security community, including cybersecurity firm Proofpoint (of Sunnyvale, California) who issued a report on Tuesday with information about “a number of multistage attacks that use cryptocurrency-related lures to infect victims with sophisticated backdoors and reconnaissance malware that we attribute to the Lazarus Group”.
Proofpoint said they had discovered “what appears to be the first publicly documented instance of a nation-state targeting a point-of-sale related framework for the theft of credit card data in a related set of attacks”. They pointed out that the timing of the attacks near the holiday shopping season makes the potential financial losses considerable.
The Lazarus Group were also thought to be behind a recent attack targeting employees at a cryptocurrency firm in London. Phishing emails that included a downloadable Microsoft Word attachment were sent, which if clicked would result in the distribution of malware across the employee’s computer networks, that would mine bitcoin in the background of the victim’s computer. Security researchers at Secureworks, an Atlanta, Georgia based cybersecurity firm, noted similarities to other hacks conducted by The Lazarus Group, including relying on components of the C2 protocol to communicate with command and control servers.
“Our inference based on previous activity is that this is the goal of the attack, particularly in light of recent reporting from other sources that North Korea has an increased focus on bitcoin and obtaining bitcoin,” Rafe Pilling, senior security researcher at Secureworks told IT news site, ZDNet.
North Korean hackers are also thought to have been responsible for the bankruptcy of Youbit, South Korean bitcoin exchange, in April, and a second cyber heist that forced the exchange to shut down again earlier this week. Earlier this year, South Korea’s CWIC Cyber Warfare Research Center said that the rogue nation could be targeting the virtual currency in response to heavier economic sanctions.
“Bitcoin could be the biggest global sting operation ever,” Andy Norton, director of threat intelligence at Lastline told Newsweek. “It’s like a black hole attracting bad actors and dirty money from all around the world. If North Korea are using it to avoid sanctions it could lead to a coordinated response by various governments to shut down access to those funds locked in bitcoin.”
The Lazarus Group are presumed to have been behind the masterminds behind the 2014 Sony Pictures hack and the Bangladesh Bank hack, one, in which hackers stole $81M undetected; in addition to the May Wannacry malware attacks, which U.S. authorities pinned to North Korea earlier this week, as did the U.K.’s GCHQ.
Proofpoint says that “The Lazarus Group is widely accepted as being a North Korean state-sponsored threat actor”, and notes that the group has been “increasingly focused on financially motivated attacks and appears to be capitalizing on both the increasing interest and skyrocketing prices for cryptocurrencies”.
Thefts of Bitcoin have been spiralling upwards as Bitcoin prices have surged over 2017; hitting a record $19,666 mark for one bitcoin on December 17; however prices tumbled almost 30 per cent on Friday as investors reacted to warnings from regulators worldwide and increasing concerns about the security of the cryptocurrency. The lurch downwards was the biggest seen since the currency began its rise from $1,000 at the start of the year. The rapid movements of the currency have drawn comparisons with the dotcom bubble of the late-1990s.