The cryptocurrency sector may still be in a bearish phase, but the state-sponsored North Korean hacking group Lazarus remains absurdly bullish on the bitcoin industry – at least if its continued focus on the sector is anything to go by.
For Lazarus, Crypto Exchanges are the Geese that lay Golden Eggs
Per cybersecurity firm Kaspersky Lab, both Mac and Windows OS users remain vulnerable to the group’s ongoing hacking effort. Lazarus is understood to have launched the operation in November last year.
For this effort, the hacking group has created custom PowerShell scripts which communicate with malicious command & control (C2) servers and run commands initiated by the operator. The names of the C2 server script names are made to look like WordPress files or other open source projects.
Once control of the server is gained, the malware can collect basic information on the host. The malware is also able to download and upload files as well as execute system shell commands among other things.
The Kaspersky Lab report further states that Lazarus is only hosting malware on rented servers. Compromised servers are used to host the command & control scripts. For some reason, Lazarus is disproportionately focused on North Korea’s geopolitical rival, South Korea.
As cryptocurrency exchanges are top of the list among the North Korean hacking group’s targets, Kaspersky Lab has urged vigilance:
“If you’re part of the booming cryptocurrency or technological startup industry, exercise extra caution when dealing with new third parties or installing software on your systems.”
North Korea Uses Bitcoin to Evade Sanctions
According to a report by a United Nations Security Council panel of experts, the cybercrime activities carried out by North Korea are mainly to obtain funds as a way of circumventing the various economic sanctions imposed on the hermit state:
“The Panel notes a trend in the Democratic People’s Republic of Korea’s evasion of financial sanctions of using cyberattacks to illegally force the transfer of funds from financial institutions and cryptocurrency exchanges.”
The UN report indicated that North Korean hackers were responsible for stealing more than $0.5 billion from cryptocurrency exchanges.
UN report links North Korean hackers to theft of $571 million from cryptocurrency exchanges https://t.co/IzcEjcA1Fk
— CyberScoop (@CyberScoopNews) March 16, 2019
Threat intelligence and anti-fraud solutions firm Group IB has stated that Lazarus is responsible for the hacking of Japanese crypto exchange Coincheck last year in January. Group IB estimates that between 2017 and 2018 Lazarus stole nearly $600 million.
North Korea is ‘Pro-Crypto’ – But Not for the Reason You Are
Per the UN Security Council panel, Lazarus’ targeting of cryptocurrency exchanges is no accident. This is because the pseudonymous nature of blockchain makes it difficult to pinpoint blame on North Korea. Additionally, cryptocurrencies are mostly free from government oversight:
“[C]yberattacks involving cryptocurrencies provide the Democratic People’s Republic of Korea with more ways to evade sanctions given that they are harder to trace, can be laundered many times and are independent from government regulation.”