Suspected North Korean cyber group seeks to woo bitcoin job seekers

By Reuters/Eric Auchard   December 17, 2017 | 08:22 pm PT
Bitcoin can be transferred electronically between users without an intermediary such as a bank, making it potentially attractive for buying illegal goods or services.

The surging price of cryptocurrencies in global markets is catching the eye not just of ordinary retail investors but a cybercrime gang with links to the North Korean government, according to cyber researchers tracing the group's activities.

The Lazarus cybercrime group is mounting an ongoing scheme to steal the online credentials of bitcoin industry insiders, a report published by researchers at U.S. cyber security firm Secureworks's Counter Threat Unit (CTU) said on Friday.

Cybersecurity firms including Secureworks suspect North Korea to be behind the Lazarus group, which they link to an $81 million cyber heist last year at the Bangladesh central bank and a 2014 attack on Sony’s Hollywood studio.

"Given the current rise in bitcoin prices, CTU suspects that North Korea’s interest in cryptocurrency remains high and (it) is likely continuing its activities surrounding the cryptocurrency," Secureworks said in a statement to Reuters.

Prices for the volatile cryptocurrency surged past $10,000 late last month and have continued to race upward toward $20,000. A single bitcoin traded above $17,500 on Friday, up more than 7 percent on the day and more than 18 times in the year to date.

Secureworks said that as recently as last month it had monitored a targeted email campaign aiming to trick victims into clicking on a compromised link for a job opening for a chief financial officer role at a London cryptocurrency company.

Those who clicked on the hiring link were infected by malicious code from an attached document in the email that installed software to take remote control of a victim's device, allowing hackers to download further malware or steal data.

This malware shares technical links with former campaigns staged by the mysterious cybercrime group Lazarus, which Secureworks has labelled "Nickel Academy". Secureworks did not say whether anyone who received the email actually clicked on the link.

The so-called "spearphishing" attempt appears to have been delivered on October 25, but initial activity was observed by Secureworks researchers dating back to 2016. The researchers said in a statement they believe the efforts to steal credentials are still on-going.

Recent intrusions into several bitcoin exchanges in South Korea have been tentatively attributed to North Korea, it said.

Secureworks researchers have found evidence dating back to 2013 of North Korean interest in bitcoin, when multiple user names originating from computers using extremely rare North Korean internet addresses were found researching bitcoin.

The same internet addresses were linked to previous North Korean cyber attacks.

A spokeswoman for Secureworks said the company was releasing its preliminary findings now and a more complete report would be published later.

go to top