Anti-Malware , Fraud , Phishing

Report: Investigators Eye North Koreans for Exchange Hack

North Korean Hackers Also Blamed for Phishing, SWIFT Fraud, POS and ATM Malware
Report: Investigators Eye North Koreans for Exchange Hack

Police in South Korea investigating the hack of a cryptocurrency exchange are eyeing a hacking group tied to the government of North Korea as the likely culprits, the Wall Street Journal reports.

See Also: Live Webinar | Benchmarking Your Organization's Security Performance with Security Ratings

On Tuesday, South Korean company Yapian, which operates the Seoul-based Youbit cryptocurrency exchange, suspended the use of all cryptocurrency and cash withdrawals and announced that it was declaring bankruptcy. Yapian reported that it lost 17 percent of its assets after a hacker on Tuesday stole the entire contents of its hot wallet. "The other coins were kept in the cold wallet and there were no additional losses," the company says in a statement.

The company has not specified the type of cryptocurrency stolen or the value of the lost assets. But Yapian says that it holds a cyber insurance policy worth $2.8 million.

News of the hack was first reported by the Wall Street Journal, which says South Korean police and the Korea Internet & Security Agency are in the early stages of their investigation.

Cryptocurrency typically gets stored in wallets, with hot wallets referring to internet-connected repositories that enable exchanges and service providers to facilitate instant payments. Cold wallets are offline devices that can be plugged into a PC or server only when required. This makes them safer from hack attacks.

Yapian said that it would allow users to withdraw 75 percent of their balance with Youbit and pay out the rest after reaching a final bankruptcy settlement.

A spokesman at DB Insurance Co. tells the Wall Street Journal that Yapian purchased a one-year cyber insurance policy from it on Dec. 1 and that the Yapian has not yet filed a claim over the attack. It has three years to do so.

The Youbit hack followed Yapian in April having suffered a hacking "accident" that also resulted in lost assets. Unnamed sources in South Korea told the Wall Street Journal that investigators concluded that a North Korean hacking team was behind the theft, and said Pyongyang-backed hackers had targeted at least two other South Korean exchanges between April and October of this year.

South Korea's Bitcoin Fever

South Korea is the world's third-largest trading market for bitcoins - following Japan and the United States - and the world's biggest market for trading ether, Ethereum's cryptocurrency.

As the country's trading volumes and the value of cryptocurrency have increased, the South Korean government has announced plans to regulate such trading. Measures under consideration include banning minors from trading as well as a value-added tax or capital gains tax on cryptocurrency.

The massive spike in the value of a bitcoin - from less than $1,000 at the beginning of the year to near $20,000 in recent weeks - has led many more criminals to come calling (see Cybercriminals Go Cryptocurrency Crazy: 9 Factors).

Fraud expert Avivah Litan of Gartner tells Information Security Media Group that several major cybercrime gangs appear to have literally dropped everything "and moved over to bitcoin hacking" (see Cryptocurrency Infrastructure Flaws Pose Bitcoin Risks).

Hackers Bet on Bitcoins

South Korea's cash-strapped neighbor to the north appears to be trying to cash in on the bitcoin fever. Any future rise in the cryptocurrency's value could make it a good long-term investment for the Pyongyang-based government of what is officially known as the Democratic People's Republic of Korea.

"It is a fact that North Korea has been attacking virtual currency exchanges," Lee Dong-geun, a director with South Korea's state-run Korea Internet and Security Agency, tells CNN. "We don't know how much North Korea has stolen so far, but we do know that the police have confirmed the regime's hacking attempts."

North Korea is desperate for cash, in part, because of U.S. sanctions over the country's nuclear efforts and ballistic missile program. The country's massive unpaid debts have also left it unable to access the debt market as a source of financing.

Escalating Attacks

Hack attacks against bitcoin exchanges and traders are nothing new. Unfortunately, many exchanges' infrastructures appear to be unable to block hack attacks.

"Bitcoin exchanges are like big poorly built Death Stars that inevitably get blown up by one dork across twenty movies in a row," Christopher Boyd, a researcher at security firm Malwarebytes, says via Twitter.

In April 2013, former Tokyo-based bitcoin exchange Mt. Gox - then the world's largest cryptocurrency exchange - warned that distributed denial-of-service attackers were attempting to disrupt the exchange and force the price of bitcoin to drop.

Then in February 2014, the exchange declared bankruptcy after hackers stole 850,000 of its bitcoins and $28 million in cash (see Feds Indict Russian Over BTC-e Bitcoin Exchange).

In 2015, a U.K. exchange lost 18,977 bitcoins - then worth $5 million - after attackers used macros in a malicious Microsoft Word document to infect a system that was connected to the exchange's hot wallet (see Bitcoin Exchange Hacked With Word Macro).

Earlier this month, Slovenia-based digital currency marketplace NiceHash announced that it was suspending operations for at least 24 hours after hackers breached its systems and stolen 4,700 bitcoins. NiceHash has been the world's largest cryptocurrency mining marketplace, allowing users to buy or rent cryptocurrency mining power from each others' servers. As of Thursday, operations remained suspended.

Organizations and Individuals Targeted

Individual bitcoin holders are also at risk. This month, security researchers warned that attackers have been sending would-be victims a fake job advertisement for a London-based bitcoin wallet software and cryptocurrency exchange. These phishing messages included a Microsoft Word document with a malicious macro which, if executed, would allow attackers to push additional malware onto the system.

The researchers have linked these attacks to Lazarus group, a hacking team believed to be tied to North Korea (see Lazarus Hackers Phish For Bitcoins, Researchers Warn).

Pop-up generated by a malicious Microsoft Word document attached to emails sent as part of the fake CFO job lure phishing campaign tied to Lazarus. The Word attachment, which includes malicious macros, attempts to trick recipients into enabling macro functionality in Microsoft Office, which is disabled by default because of the risk it poses to users. (Source: Secureworks CTU)

Infecting bitcoin traders' systems with malware can allow attackers to wait until victims connect a cold wallet - cryptocurrency stored in cold storage - to their PC, at which point it becomes a hot wallet, and drain the wallet of its bitcoins.

Researchers at security firm Proofpoint say they have found evidence that the Lazarus Group is using new types of "sophisticated backdoors and reconnaissance malware" to attempt to steal cryptocurrency from organizations and individuals.

"Victims of interest are then infected with additional malware including Gh0st RAT to steal credentials for cryptocurrency wallets and exchanges, enabling the Lazarus Group to conduct lucrative operations stealing bitcoin and other cryptocurrencies," Darien Huss, a threat researcher at security firm Proofpoint, writes in a new report.

The Lazarus Group has also been blamed for campaigns aimed at infecting South Korean ATMs with malware - to facilitate cash-out or jackpotting attacks.

Proofpoint says it's also seen Lazarus Group attempting to infect point-of-sale systems with a variant of PowerShell-based malware PowerRatankba. Huss says this malware, which it's dubbed RatankbaPOS, "may be the first publicly documented instance of a nation-state targeting a point-of-sale related framework for the theft of credit card data."

Security firm RiskIQ says it's also tied Lazarus to a phishing campaign that sends messages about fake bitcoin gold wallet software. The fake site's download button triggers a JavaScript event that attempts to run an installer that then tries to download the PowerRatankba malware, RiskIQ says.

Lazarus phishing messages lead to a fake wallet software download site, left, designed to look like the real site, pictured on right. (Source: Proofpoint)

WannaCry Attribution

Reports of North Korea's apparently insatiable thirst for bitcoins and payment card data follow the White House this week publicly accusing North Korea of being behind the May outbreak of WannaCry crypto-locking ransomware (see Trump Administration: 'North Korea Launched WannaCry').

Thomas P. Bossert, assistant to the president for homeland security and counterterrorism, told reporters this week that the U.S. assessment is shared by intelligence agencies in Australia, Canada, Japan, New Zealand and the United Kingdom. Several security firms have reached similar conclusions.

Bank Hacking

The Lazarus Group has been previously tied to numerous DDoS botnets, phishing campaigns, malware attacks and bank thefts perpetrated via fraud SWIFT messages.

Lazarus has been blamed for the 2015 hack and wiper malware attack against Sony Pictures Entertainment. The group has also been blamed for the attempted theft of nearly $1 billion from the central bank of Bangladesh's New York Federal Reserve account in February 2016, from which $81 million was stolen via fraudulent SWIFT messages, followed by the October theft of $60 million from a Taiwanese bank. Security researchers say North Korea-backed hackers have also targeted banks in India, Mexico, Poland, India and the United Kingdom.

North Korea continues to deny that it was involved in WannaCry or any other online attacks. A spokesman for the nation's foreign ministry on Thursday said the U.S. allegations were "absurd." He added: "As we have clearly stated on several occasions, we have nothing to do with cyberattacks."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network