In 2016 we began observing actors we believe to be North Korean
utilizing their intrusion capabilities to conduct cyber crime,
targeting banks and the global financial system. This marked a
departure from previously observed activity of North Korean actors
employing cyber espionage for traditional nation state activities.
Yet, given North Korea’s position as a pariah nation cut off from much
of the global economy – as well as a nation that employs a government
bureau to conduct illicit
economic activity – this is not all that surprising. With North
Korea’s tight control of its military and intelligence capabilities,
it is likely that this activity was carried out to fund the state or
personal coffers of Pyongyang’s elite, as international sanctions have
constricted the Hermit Kingdom.
Now, we may be witnessing a second wave of this campaign:
state-sponsored actors seeking to steal bitcoin and other virtual
currencies as a means of evading sanctions and obtaining hard
currencies to fund the regime. Since May 2017, Mandiant experts observed North Korean actors
target at least three South Korean cryptocurrency exchanges with the
suspected intent of stealing funds. The spearphishing we have observed
in these cases often targets personal email accounts of employees at
digital currency exchanges, frequently using tax-themed lures and
deploying malware (PEACHPIT
and similar variants) linked to North Korean actors suspected to be
responsible for intrusions into global banks in 2016.
Add to that the ties between North Korean operators and a watering
hole compromise of a bitcoin news site in 2016, as well as at least
one instance of usage of a surreptitious
cryptocurrency miner, and we begin to see a picture of North
Korean interest in cryptocurrencies, an asset class in which bitcoin
alone has increased over 400% since the beginning of this year.
2017 North Korean Activity Against South Korean Cryptocurrency Targets
- April 22 – Four
wallets on Yapizon, a South Korean cryptocurrency exchange,
are compromised. (It is worth noting that at least some of the
tactics, techniques, and procedures were reportedly employed during
this compromise were different than those we have observed in
following intrusion attempts and as of yet there are no clear
indications of North Korean involvement). - April 26 – The
United States announces a strategy of increased economic sanctions
against North Korea. Sanctions from the international community
could be driving North Korean interest in cryptocurrency, as
discussed earlier. - Early May – Spearphishing against South
Korean Exchange #1 begins. - Late May – South Korean Exchange
#2 compromised via spearphish. - Early June – More suspected
North Korean activity targeting unknown victims, believed to be
cryptocurrency service providers in South Korea. - Early July
– South Korean Exchange #3 targeted via spear phishing to personal
account.
Benefits to Targeting Cryptocurrencies
While bitcoin and cryptocurrency exchanges may seem like odd targets
for nation state actors interested in funding state coffers, some of
the other illicit endeavors North Korea pursues further demonstrate
interest in conducting financial crime on the regime’s behalf. North
Korea’s Office 39 is involved in activities such as gold smuggling,
counterfeiting foreign currency, and even operating restaurants.
Besides a focus on the global banking system and cryptocurrency
exchanges, a recent report by a South Korean institute noted
involvement by North Korean actors in targeting
ATMs with malware, likely actors at the very least supporting
similar ends.
If actors compromise an exchange itself (as opposed to an individual
account or wallet) they potentially can move cryptocurrencies out of
online wallets, swapping them for other, more anonymous
cryptocurrencies or send them directly to other wallets on different
exchanges to withdraw them in fiat currencies such as South Korean
won, US dollars, or Chinese renminbi. As the regulatory environment
around cryptocurrencies is still emerging, some exchanges in different
jurisdictions may have lax anti-money laundering controls easing this
process and make the exchanges an attractive tactic for anyone seeking
hard currency.
Conclusion
As bitcoin and other cryptocurrencies have increased in value in the
last year, nation states are beginning to take notice. Recently, an
advisor to President Putin in Russia announced plans
to raise funds to increase Russia’s share of bitcoin mining, and
senators in Australia’s parliament have proposed developing their own
national cryptocurrency.
Consequently, it should be no surprise that cryptocurrencies, as an
emerging asset class, are becoming a target of interest by a regime
that operates in many ways like a criminal enterprise. While at
present North Korea is somewhat distinctive in both their willingness
to engage in financial crime and their possession of cyber espionage
capabilities, the uniqueness of this combination will likely not last
long-term as rising cyber powers may see similar potential. Cyber
criminals may no longer be the only nefarious actors in this space.