North Korean Hackers Also Blamed for Phishing, SWIFT Fraud, POS and ATM Malware
Police in South Korea investigating the hack of a cryptocurrency exchange are eyeing a hacking group tied to the government of North Korea as likely culprits, the Wall Street Journal reports.
See Also: How to Scale Your Vendor Risk Management Program
On Tuesday, South Korean company Yapian, which operates the Seoul-based Youbit cryptocurrency exchange, suspended the use of all cryptocurrency and cash withdrawals and announced that it was declaring bankruptcy. Yapian reported that it lost 17 percent of its assets after a hacker on Tuesday stole the entire contents of its hot wallet. “The other coins were kept in the cold wallet and there were no additional losses,” the company says in a statement.
The company has not specified the type of cryptocurrency stolen or the value of the lost assets. But Yapian says that it holds a cyber insurance policy worth $2.8 million.
News of the hack was first reported by the Wall Street Journal, which says South Korean police and the Korea Internet & Security Agency are in the early stages of their investigation.
Cryptocurrency typically gets stored in wallets, with hot wallets referring to internet-connected repositories that allow exchanges and service providers to facilitate instant payments. That’s opposed to cold wallets, referring to offline devices that can be plugged into a PC or server only when required. This makes them safer from hack attacks.
Yapian said that it would allow users to withdraw 75 percent of their balance with Youbit and pay out the rest after reaching a final bankruptcy settlement.
A spokesman at DB Insurance Co. tells the Wall Street Journal that Yapian purchased a one-year cyber insurance policy from it on Dec. 1 and that the Yapian has not yet filed a claim over the attack. It has three years to do so.
The Youbit hack followed Yapian in April having suffered a hacking “accident” that also resulted in lost assets. Unnamed sources in South Korea told the Wall Street Journal that investigators concluded that a North Korean hacking team was behind the theft, and said Pyongyang-backed hackers had targeted at least two other South Korean exchanges between April and October of this year.
South Korea’s Bitcoin Fever
South Korea is the world’s third-largest trading market for bitcoins – following Japan and the United States and Japan – and the world’s biggest market for trading ether, Ethereum’s cryptocurrency.
As the country’s trading volumes and the value of cryptocurrency have increased, the South Korean government has announced plans to regulate such trading. Measures under consideration include banning minors from trading as well as a value-added tax or capital gains tax on cryptocurrency.
The massive spike in the value of a bitcoin – worth less than $1,000 at the beginning of the year to near $20,000 in recent weeks – has led many more criminals to come calling (see Cybercriminals Go Cryptocurrency Crazy: 9 Factors).
Fraud expert Avivah Litan at Gartner Group tells Information Security Media Group that at least several major cybercrime gangs appear to have literally dropped everything “and moved over to bitcoin hacking” (see Cryptocurrency Infrastructure Flaws Pose Bitcoin Risks).
Hackers Bet on Bitcoins
South Korea’s cash-strapped neighbor to the north appears to be trying to cash in on the bitcoin fever. Any future rise in the cryptocurrency’s value could make it a good long-term investment for the Pyongyang-based government of what is officially known as the Democratic People’s Republic of Korea.
“It is a fact that North Korea has been attacking virtual currency exchanges,” Lee Dong-geun, a director with South Korea’s state-run Korea Internet and Security Agency, tells CNN. “We don’t know how much North Korea has stolen so far, but we do know that the police have confirmed the regime’s hacking attempts.”
North Korea is desperate for cash in part because of U.S. sanctions over the country’s nuclear efforts and ballistic missile program. The country’s massive unpaid debts have also left it unable to access the debt market as a source of financing.
Hack attacks against bitcoin exchanges and traders are nothing new. Unfortunately, many bitcoin exchanges’ infrastructure appears to be unable to block hack attacks.
“Bitcoin exchanges are like big poorly built Death Stars that inevitably get blown up by one dork across twenty movies in a row,” says Christopher Boyd, a researcher at security firm Malwarebytes, says via Twitter.
In April 2013, former Tokyo-based bitcoin exchange Mt. Gox – then the world’s largest cryptocurrency exchange – warned that DDoS attackers were attempting to disrupt the exchange and force the price of bitcoin to drop.
Then in February 2014, the exchange declared bankruptcy after hackers stole 850,000 of its bitcoins and $28 million in cash (see Feds Indict Russian Over BTC-e Bitcoin Exchange).
In 2015, a U.K. exchange lost 18,977 bitcoins – then worth $5 million – after attackers used macros in a malicious Microsoft Word document to infect a system that was connected to the exchange’s hot wallet (see Bitcoin Exchange Hacked With Word Macro).
Earlier this month, Slovenia-based digital currency marketplace NiceHash announced that it was suspending operations for at least 24 hours after hackers breached its systems and stolen 4,700 bitcoins. NiceHash has been the world’s largest cryptocurrency mining marketplace, allowing users to buy or rent cryptocurrency mining power from each others’ servers. As of Thursday, operations remain suspended.
Organizations and Individuals Targeted
Individual bitcoin holders are also at risk. This month, security researchers warned that attackers have been sending would-be victims a fake job advertisement for a London-based bitcoin wallet software and cryptocurrency exchange. These phishing messages included a Microsoft Word document with a malicious macro which, if executed, would allow attackers to push additional malware onto the system.
The researchers have tied these attacks to Lazarus group, a hacking team believed to be tied to Pyongyang (see Lazarus Hackers Phish For Bitcoins, Researchers Warn).
Infecting bitcoin traders’ systems with malware can allow attackers to wait until victims connect a cold wallet – cryptocurrency stored in cold storage – to their PC, at which point it becomes a hot wallet, and drain the wallet of its bitcoins.
Researchers at security firm Proofpoint say they have found evidence that new types of “sophisticated backdoors and reconnaissance malware” are being used by Lazarus to try and steal cryptocurrency from organizations and individuals.
“Victims of interest are then infected with additional malware including Gh0st RAT to steal credentials for cryptocurrency wallets and exchanges, enabling the Lazarus Group to conduct lucrative operations stealing bitcoin and other cryptocurrencies,” Darien Huss, a threat researcher at security firm Proofpoint, writes in a new report.
I dropped some details in my report on an ActiveX 0day in M2Soft utilizing South Korean website compromises to deliver #FBIRAT (open source RAT known utilized by #DPRK, see research from @ashley_shen_920/@051R15/@kjkwak12) and #Charon (custom implant that is not so widely known) pic.twitter.com/tox5q9y8Se
— Darien Huss (@darienhuss) December 20, 2017
Lazarus has also been blamed for campaigns aimed at infecting South Korean ATMs with malware – to facilitate cash-out or jackpotting attacks.
Proofpoint says it’s also seen Lazarus Group attempting to infect point-of-sale systems with a variant of PowerShell-based malware PowerRatankba. Huss says this malware, which it’s dubbed RatankbaPOS, “may be the first publicly documented instance of a nation-state targeting a point-of-sale related framework for the theft of credit card data.”
Reports of Pyongyang’s apparently insatiable thirst for bitcoins and payment card data follows the White House this week publicly accusing North Korea of being behind the May outbreak of WannaCry crypto-locking ransomware (see Trump Administration: ‘North Korea Launched WannaCry’).
Thomas P. Bossert, assistant to the president for homeland security and counterterrorism, told reporters this week that the U.S. assessment is shared by intelligence agencies in Australia, Canada, Japan, New Zealand and the United Kingdom. Multiple security firms have also reached similar conclusions.
The Lazarus Group has been previously tied to numerous DDoS botnets, phishing campaigns, malware attacks, bank thefts perpetrated via fraud SWIFT messages.
Lazarus has been blamed for the 2015 hack and wiper malware attack against Sony Pictures Entertainment. Lazarus has also been blamed for the attempted theft of nearly $1 billion from the central bank of Bangladesh’s New York Federal Reserve account in February 2016, from which $81 million was stolen via fraudulent SWIFT messages, followed by the October theft of $60 million from a Taiwanese bank. Security researchers say Pyongyang-backed hackers have also targeted banks in India, Mexico, Poland, India and the United Kingdom.
North Korea continues to deny that it was involved in WannaCry or any other online attacks. A spokesman for Pyongyang’s foreign ministry on Thursday said the U.S. allegations were “absurd.”
He added: “As we have clearly stated on several occasions, we have nothing to do with cyberattacks.”