US cybersecurity firm Recorded Future has released a new report linking Lazarus, a North Korean hacking group, to various South Korean cryptocurrency exchange hacking attacks and security breaches.

In a report entitled “North Korea Targeted South Korean Cryptocurrency Users and Exchange in Late 2017 Campaign,” the firm’s researchers stated that the same type of malware used in the Sony Pictures security breach and WannaCry ransomware attack was utilized to target Coinlink, a South Korea-based cryptocurrency exchange.

“North Korean government actors, specifically Lazarus Group, continued to target South Korean cryptocurrency exchanges and users in late 2017, before Kim Jong Un’s New Year’s speech and subsequent North-South dialogue. The malware employed shared code with Destover malware, which was used against Sony Pictures Entertainment in 2014 and the first WannaCry victim in February 2017,” the report read.

$7 mln stolen from Bithumb

In February 2017, Bithumb, the second largest cryptocurrency exchange in the global market by daily trading volume, fell victim to a security breach that led to the loss of around $7 mln of user funds, mostly in Bitcoin and Ethereum’s native cryptocurrency Ether.

The report released by Recorded Future noted that the $7 mln Bithumb security breach has been linked to North Korean hackers. Insikt Group researchers, a group of cybersecurity researchers that closely track the activities of North Korean hackers regularly, revealed that Lazarus Group, in particular, has used a wide range of tools from spear phishing attacks to malware distribution through communication platforms to gain access to cryptocurrency wallets and accounts.

Insikt Group researchers disclosed that Lazarus Group hackers initiated a massive malware campaign in the fall of 2017 and since then, North Korean hackers have focused on spreading malware by attaching files containing fraudulent software to gain access to individual devices.

One method Lazarus Group employed was the distribution of Hangul Word Processor (HWP) files through email, the South Korea equivalent of Microsoft Word documents, with malware attached. If any cryptocurrency user downloads the malware, it autonomously installs itself and operates in the background, taking control of or manipulating data stored within the specific device.

“By 2017, North Korean actors had jumped on the cryptocurrency bandwagon. The first known North Korean cryptocurrency operation occurred in February 2017, with the theft of $7 mln (at the time) in cryptocurrency from South Korean exchange Bithumb. By the end of 2017, several researchers had reported additional spear phishing campaigns against South Korean cryptocurrency exchanges, numerous successful thefts, and even Bitcoin and Monero mining,” Insikt Group researchers wrote.

Motivation of North Korean hackers

Prior to the release of Recorded Future’s report, several other cybersecurity firms had accused North Korean hacking groups of targeting South Korean cryptocurrency trading platforms with sophisticated malware and phishing attack tools.

Researchers at FireEye linked six targeted cyber attacks against South Korean cryptocurrency exchanges to state-financed hackers based in North Korea. Most recently, as Cointelegraph reported, police investigators and the Korea Internet and Security Agency initiated a full investigation into a security breach that led to the bankruptcy of YouBit, a South Korean cryptocurrency trading platform.

At the time, local investigators stated that they have found evidence to link the YouBit security breach to North Korean hackers. FireEye senior analyst Luke McNamara also told Bloomberg that similar tools widely utilized by North Korean hackers were employed in the YouBit hacking attack.

“This an adversary that we have been watching become increasingly capable and also brazen in terms of the targets that they are willing to go after. This is really just one prong in a larger strategy that they seem to be employing since at least 2016, where they have been using capability that has been primarily used for espionage to actually steal funds.”