The dramatic surge in the price of cryptocurrencies such as Bitcoin has attracted not just investors but also cybercriminals. The proliferate North Korean hacker group known as the Lazarus Group has been observed launching targeted spearphishing campaigns against cryptocurrency companies, in efforts to steal bitcoins.
Lazarus hackers have previously been accused of launching large-scale global attacks including the massive WannaCry ransomware epidemic, as well as bank heists like the Bangladesh Bank hack that saw $81m stolen. The notorious hacker group's activities were first brought to light after it was accused of orchestrating the infamous Sony hack in 2014.
According to security experts at Secureworks, Lazarus Group launched a phishing campaign in October, using malicious decoy documents, posing as a job opening for a CFO role at a European-based Bitcoin company. When opened, the document dropped a RAT (remote access Trojan), which allowed Lazarus Group hackers complete access to the victim's computer.
Secureworks researchers say that they can attribute the attacks to Lazarus with "high confidence" since the campaign shares technical similarities with previous campaigns launched by the North Korean hacker group.
ZDNet reported that Secureworks researchers believe that the malware used in this campaign is a new form of Trojan, likely specially crafted for such attacks.
"The interesting thing here is that the technique and the tactics being used since last summer mark a change in the nature of the lure and the nature of the targeting. Previously, Lazarus used defence-themed lures to target defence organisations, but now they're using bitcoin-themed lures to target financial companies," Rafe Pilling, senior security researcher at Secureworks told ZDNet.
However, North Korea's attraction to cryptocurrency is not a recent development. Secureworks researchers say that North Korea expressed interest in Bitcoin as early as 2013 and began conducting "research" into the digital currency.
"At that time, the North Koreans were using proxies to mask their originating IP address, but occasionally, those proxies failed, and revealed North Korean actors' true originating IP, which was the same North Korean IP used in previous cyber operations," Secureworks told IBTimes UK.
"Given the current rise in bitcoin prices, CTU suspects that the North Korea's interest in cryptocurrency remains high and is likely continuing its activities surrounding the cryptocurrency," Secureworks said. "A number of recent intrusion activities against several bitcoin exchanges in South Korea have been tentatively attributed to North Korea. CTU researchers assess that the North Korean threat against cryptocurrency will remain elevated in the foreseeable future."
The South Korean spy agency reportedly has evidence that North Korean hackers orchestrated an attack against Bithumb – one of the South's largest cryptocurrency exchanges – in June. The spy agency also believes that Lazarus Group hackers hacked another exchange Coinis in September, Yonhap reported.
Researchers investigating Lazarus Group's recent campaign believe the attacks are still ongoing, indicating that cryptocurrency companies may still be vulnerable to attacks.