North Korea’s involvement in major hacking offensives appears to be growing.
The country has been linked to a recent attack on South Korean cryptocurrency exchanges, according to cybersecurity experts.
Researchers from the U.S. cybersecurity firm Recorded Future say a new hacking campaign targeting South Korean cryptocurrency exchange Coinlink employed the same malware code used in the 2014 attack on Sony Pictures and last year’s global WannaCry attack.
Beginning in late 2017, hackers attempted to collect the passwords and emails of employees at Coinlink, but were unsuccessful.
Recorded Future released a full report on Jan. 16 analyzing the methods used in the recent Coinlink attack versus methods used in previous cyberattacks. The firm found what it called strong evidence that a cybercrime unit called the Lazarus group was behind the Coinlink attack, as well as several previous large-scale campaigns, based on the type of code they have used in previous attacks.
According to the report, the Lazarus group operates under a North Korean state-sponsored cyber unit.
The group has been conducting operations since at least 2009, when they launched an attack on US and South Korean websites by infecting them with a virus known as MyDoom, the report said. The group has mainly targeted South Korean, U.S. government, and financial entities, but has also been linked to the major attack on Sony Pictures in 2014.
In recent years, researchers noticed a change in North Korean cyber operations as they began to shift their focus to attacking financial institutions in order to steal money to fund Kim Jong Un’s regime, the report said.
In 2017, the group began targeting cryptocurrencies, and their first offensive was aimed at Bithumb, one of the world’s largest bitcoin exchanges. Lazarus hackers stole $7 million in the Bithumb heist at the time, according to the report.
The WannaCry attack in 2017, which affected computer systems at schools, hospitals, and businesses across 150 countries, also used malware code that was linked to Lazarus.
Additionally, a December attack on the South Korean bitcoin exchange YouBit reportedly mirrored previous North Korean offensives, leading experts to suggest that groups associated with the North were behind that attack as well.
Recorded Future’s report comes amid recent allegations that North Korea has begun mining and hacking cryptocurrencies in order to sidestep crippling economic sanctions.
“This is a continuation of their broader interest in cryptocurrency as a funding stream,” Priscilla Moriuchi, director of strategic-threat development at Recorded Future, told the Wall Street Journal this week.
The U.S. has released statements blaming North Korea for several recent attacks. North Korea still denies any involvement, despite mounting evidence.