A US cybersecurity firm claims it has found evidence of hacked computers sending coins to a North Korean university after being infected with cryptocurrency mining malware. But government-linked hackers are not behind the attacks.

According to a report by the American cybersecurity firm AlienVault, the software hides itself among legitimate files and programs, and uses the computer in which its embedded itself to mine the cryptocurrency Monero. The mined coins are then sent on to a server based at Kim Il Sung University in Pyongyang.

The malware – which installs itself as intelservice.exe in what is likely an attempt to hide among legitimate products from Intel Corp – was identified by AlienVault through a database of computer viruses put together by the Google subsidiary VirusTotal. Cryptocurrency mining needs a lot of operating power resulting in mounting electricity bills, which is why hackers often try to reassign the task to a network of compromised PC’s under their control.

“So running [the cryptocurrency-mining software] on someone else’s computer means you don’t have any costs, only profit,” Chris Doman, the AlienVault threat engineer who identified the virus, told the Wall Street Journal.

Read more

Faced with severe international sanctions, some analysts have suggested that Pyongyang may be looking at unorthodox ways to raise capital. Last year, North Korea was accused of a series of online heists on banks and bitcoin exchanges in South Korea and Taiwan. But the rather primitive level of programming found in the code led AlienVault’s experts to suspect it was more of an amateur effort rather than something tied to the North Korean government.

“Given the amateur usage of Visual Basic programming in the Installer we analyzed, it’s unlikely the author is part of Lazarus [a group of hackers linked to the government],” AlienVault’s report read. “As the mining server is located in a university, we may be looking at a university project.”

However, the university’s server doesn’t seem to be connected to the wider internet, so the final destination of the coins could be another server and that this is just a ruse to trick security experts. Another possibility is that it could be designed solely for the university’s network itself, as part of a legitimate mining project, but this scenario doesn’t explain why the program would try to disguise itself.

Access to the internet in North Korea is very limited – only a select group of officials can go on the World Wide Web, while a larger circle, including students and researchers, can use the country’s domestic intraweb. But Kim Il Sung University is also home to a number of foreign students and staff, so it’s possible the code’s authors are not even Korean.

Monero is the 13th largest cryptocurrency in the world and is considered to have even better value for privacy than bitcoin. It is still unknown how and where exactly the crypto-mining malware was first spotted, and how many (if any) Monero coins it has mined.