North Korean hackers are now robbing individuals, credit card terminals: report

North Korean hackers are now robbing individuals, credit card terminals: report
© Getty Images

North Korea may be doubling down on its efforts to make money by hacking, according to new research by cybersecurity firm Proofpoint.

"From a tradecraft perspective, the Lazarus Group now looks more like a criminal enterprise than a nation-state," Ryan Kalember, Proofpoint's senior vice president of cybersecurity strategy, told The Hill. 

The Lazarus Group, an industry name for the believed-to-be North Korean hackers that breached Sony Pictures and launched the disastrous WannaCry malware, has already been linked to several different attempts to generate revenue by hacking. The group was tied to a string of bank robberies using the SWIFT interbank transfer request system totaling hundreds of millions of dollars, as well as recent attempts to phish cryptocurrency exchanges.  

Proofpoint explains in a new report that Lazarus has started infecting South Korean credit card terminals, called point of sale (POS) systems, to steal credit card information. 

The firm believes this would make North Korea the first known nation to steal credit cards this way. 


Lazarus is also now no longer just phishing cryptocurrency exchanges, but also individuals who appear to own bitcoin and other digital currencies.

"As more people who are less technical start to invest in bitcoin, this could become more of a problem — and not just with Lazarus doing the stealing," said Kalember. 

On Tuesday, the Trump administration blamed North Korea for the WannaCry malware that infected hundreds of thousands of systems in May. Such attributions from the executive branch have been extremely rare.

The report outlines two new pieces of malware being used by the group. Both are updates to the group's old malware, known as Ratankba.

RatankbaPOS, as the name suggests, is used in the POS robbery operations. PowerRatankba is like Ratankba but based in Power Shell, a Windows feature that runs commands. 

Proofpoint linked the new attacks through shared code, idiosyncratic choices made during the programming and shared infrastructure with past Lazurus attacks. 

"We're as highly confident as we can be it's the same group," Kalember said.