The North Korean government uses cyber espionage and cryptocurrency theft to sidestep sanctions by obtaining and laundering funds for the regime. Numerous other countries including the EU have placed similar sanctions as the US on the transfer of funds and materials to North Korea. In the face of these sanctions, the advantages of cyber operations are clear: they require minimal physical resources and infrastructure, they allow for theft of large amounts of money through the popularity and rising acceptance of cryptocurrency. Potential hackers are recruited at a young age and given perks such as exemption from military service and spacious living accommodations.
North Korean cyber operations include cryptocurrency theft, ransomware attacks, and operations targeting the SWIFT banking system. Recently, North Korean hackers committed the largest theft of all time by stealing cryptocurrency, and the US cracked down on fraudulent IT workers that infiltrated top US companies. The threat of North Korean-backed hackers will continue to grow as the thousands of individuals involved in these operations face no risk of extradition and receive funding and support from their government. The number of individual attacks on cryptocurrency stealing more than $100M increased in 2024. In total, North Korean-affiliated hacking groups stole more than $1B in cryptocurrency in 2024.
North Korean IT Worker Scheme
For a few years, North Korean IT workers posing as US citizens gained employment at hundreds of US companies as IT support and Software Engineers. This infiltration represents a severe insider threat that poses a long-term cybersecurity risk. These operations are an extensive social engineering attack involving stolen or fabricated identities. The fraudulent workers worked remotely from China, Russia, and North Korea. Some of these individuals were tied to the North Korean weapons programs and had IP addresses that linked to the North Korea’s Intelligence bureau. US citizens were recruited to run laptop farms on behalf of the fraudulent IT workers, and steal identities of other US citizens to be used in fraudulent job applications. ChatGPT was also used to develop fraudulent materials for the campaign highlighting the adaptability of the threat actors in increasing the effectiveness of their social engineering campaigns.
Bybit Korean Cryptocurrency Hack
The Bybit cryptocurrency hack was the largest theft of all time, surpassing the theft of $1B from the Iraqi central bank by Saddam Hussein in 2003. In this cyber theft, North Korean hackers gained control of an Etherium cold wallet by altering smart contract logic, transferring $1.46B to an unknown address. The funds were rapidly moved through a series of smaller cryptocurrency transactions to disguise their source. The threat actors manipulated the front-end of the application to take advantage of blind signing and make the alterations to the smart contract with a multi-signature cold storage attack. This theft shows that regulation and security of digital financial assets must be as high as with traditional institutions like banks.
Groups attributable to North Korea
The two examples mentioned above are the most recent and well-known operations by the series of threat actors that can be attributable to North Korea. Most of these actors fall under the 3rd Technical Surveillance Bureau based in Pyongyang and Sinuiju. This group is the principle North Korean intelligence agency and is responsible for cyber operations. Their espionage operations target defense, aerospace, and engineering entities. Other operations of cryptocurrency theft and rransomware extortion are used to fund their operations. Some of the attacks likely support illicit weapons and missile programs. This groups mentioned below are by no means a complete list, and many groups are tracked by different names by different organizations. Difficulty of attributing cyberattacks gives rise to overlaps in signatures of targets and methods. I just wanted to give a brief introduction of some of the more ative groups.
Lazarus Group (APT38)
The most prolific group is known as Lazarus, or APT38. It is a cyberwarfare group that comprises of researchers and intelligence personnel. This group is subordinate to the 110th Research Center of the 3rd Technical Surveillance Bureau and likely was operating since 2009, perhaps as early as 2007. Several subgroups and aliases have been identified with distinct targets:
Bluenoroff
This Lazarus subgroup targets foreign financial institutions Bluenoroff uses phishing and backdoor intrusion to target SWIFT messaging system, financial institutions, and cryptocurrency exchanges. This group developed malware that targets MacOS users. The funds stolen by Bluenoroff generate revenue for the nuclear weapons and ballistic missile programs. Some of their victims include banks in Bangladesh, India, Mexico, Pakistan, Philippines, South Korea, Taiwan, Turkey, Chile, and Vietnam. They used stolen SWIFT credentials to attempt to steal 851 million dollars from a US Federal Reserve account of the Central Bank of Bangladesh. Additionally, a code fragment from the WannaCry malware was linked with the Bluenoroff group.
Andariel Unit
The Andariel Unit is a unit of the North Korean Military Intelligence based in Pyongyang and Sinuju. It is likely a subgroup of the Lazarus group that targets South Korean organizations and businesses. This unit conducts cyberespionage and ransomware attacks. The unit infiltrated the personal computer of the South Korean Defense Minister to extract military operations intelligence. Andariel identifies vulnerable systems using publicly available internet scanning tools that identify vulnerabilities in publicly-facing web servers and they are experienced in Living-off-the-Land (LOTL) malware development techniques. They scan their targets for files and keywords related to defense and military sectors, collect stolen data in RAR archives and then exfiltrate the data to cloud storage sites. Andariel developed unique malware to hack online gambling sites and stole bank information by hacking into ATM machines.
TEMP.Hermit
This lazarus subgroup has targeted media, defense, and IT organizations. They focus on espionage, financial gain, and network destruction.
Kimsuky
This is a North-Korean hacking group that conducts intelligence collection and commits cybercrime to fund their espionage activities. They distribute malware disguised as content that is related to cryptocurrency coin exchanges and investment. Kimsuky operates under the 5th Bureau of Inter-Korean affairs and uses sophisticated social engineering campaigns with spoofed personas and spear-phishing. They develop realistic and detailed spoofed websites, use credential harvesting, and create cover identities for purchasing tools and infrastructures. Kimsuky maintains a high-tempo of operations and collaborate with other North-Korean State actors. Some of their criminal activities work to fund strategic intelligence and they purchase mining power to launder cryptocurrency. They do not seem to share code with other North Korean threat actor groups.
APT37
Also known as Red Eyes or ScarCruft, this APT group targets the energy sector. They impersonated South Korean financial institutions and insurance companies to distribute malicious files. Some of their attacks used the public cloud-storage service pCloud as a command and control (C2) server. APT37 operates under the ministry of state security and targeted systems in South Korea, Japan, Vietnam, and the Middle East.
UNC2970
This is a North Korean hacker group that poses as security researchers and post on blogs or social media. Then they develop relationships with real researchers, and eventually share exploits or analysis tools with embedded trojans.
Conclusion
North Korean-backed cyber operations have increased over the past couple of years in scope and sophistication and this trend is likely to continue. Their unique targeting of cryptocurrency organizations/individuals and the extensive social engineering campaigns to get into remote IT teams will continue to pose a threat for the security of many organizations.
Sources
- [1] “The Lazarus Group: Portrait of a North Korean Threat Actor – Fox IT.” Accessed: Jan. 02, 2025. [Online]. Available: https://www.fox-it.com/us/the-lazarus-group-north-korean-scourge-for-plus10-years
- [2] T. H. News, “Lazarus Group Spotted Targeting Nuclear Engineers with CookiePlus Malware,” The Hacker News. Accessed: Jan. 02, 2025. [Online]. Available: https://thehackernews.com/2024/12/lazarus-group-spotted-targeting-nuclear.html
- [3] A. Greenberg, “A Vigilante Hacker Took Down North Korea’s Internet. Now He’s Taking Off His Mask,” Wired. Accessed: Feb. 04, 2025. [Online]. Available: https://www.wired.com/story/p4x-north-korea-internet-hacker-identity-reveal/
- [4] “The largest theft in history – following the money trail from the Bybit Hack.” [Online]. Available: https://www.elliptic.co/blog/bybit-hack-largest-in-history
- [6] S. Carter, “Breaking: Could Bybit’s $1.4B Hack Have Been Stopped? Ledger, CZ React,” Forbes. Accessed: Feb. 22, 2025. [Online]. Available: https://www.forbes.com/sites/digital-assets/2025/02/22/breaking-could-bybits-14b-hack-have-been-stopped-ledger-cz-react/
- [7] “A Look into the Lazarus Group’s Operations | Trend Micro (US).” Accessed: Jan. 01, 2025. [Online]. Available: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/a-look-into-the-lazarus-groups-operations
- [8] “Threat Assessment: North Korean Threat Groups.” Accessed: Jan. 01, 2025. [Online]. Available: https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/
- [9] “ATIP_2023_Jul_Threat-Trend-Report-on-APT-Groups.” Accessed: Jan. 27, 2025. [Online]. Available: https://asec.ahnlab.com/wp-content/uploads/2023/09/ATIP_2023_Jul_Threat-Trend-Report-on-APT-Groups.pdf
- [10] “Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups,” U.S. Department of the Treasury. Accessed: Jan. 01, 2025. [Online]. Available: https://home.treasury.gov/news/press-releases/sm774
- [11] “Area41 2018: Constin Raiu: Keynote,” Jun. 15, 2018. [Online]. Available: https://www.youtube.com/watch?v=jeLd-gw2bWo
- [12] “11.12.24-Cyber-Threat-Snapshot.” Accessed: Dec. 28, 2024. [Online]. Available: https://homeland.house.gov/wp-content/uploads/2024/11/11.12.24-Cyber-Threat-Snapshot.pdf