North Korean hacker group linked to cryptocurrency attacks in South Korea

North Korean hacker group linked to cryptocurrency attacks in South Korea
© Getty Images

North Korea carried out a cyber campaign against South Korea through late last year, stealing cryptocurrency with malicious software similar to that used in the high-profile attacks of Sony Pictures Entertainment and the WannaCry ransomware attacks, a cybersecurity firm reported Tuesday.

Researchers at Recorded Future linked the crypto heists, which targeted both individual users and exchanges in South Korea, to an infamous hacking cyber organization known as Lazarus Group.


The group, affiliated with North Korea, used malware known as Ghostscript exploit to target people using Hangul Word Processor (HWP), a Korean language word processing program, according to the report.

In addition to Korean speakers using HWP, they found two other primary targets of the spear phishing attacks appear to include users of South Korean cryptocurrency exchanges like Coinlink, as well as a group of college students from around South Korea who call themselves “Friends of MOFA."

“This late 2017 campaign is a continuation of North Korea’s interest in cryptocurrency, which we now know encompasses a broad range of activities including mining, ransomware, and outright theft,” Recorded Future found.

The researchers said they reached their determination after analyzing the level of code similarity in the attacks.

“Lazarus malware families overlap, likely as the result of the developers cutting-and-splicing an extensive codebase of malicious functionality to generate payloads as needed,” according to the report.

They noted that it is otherwise hard to identify or group the malware because of its “erratic composition.”

U.S. authorities blamed Lazarus Group for the 2014 cyberattack that devastated Sony Pictures Entertainment, costing the studio millions of dollars while smearing its reputation in a high-profile hack.

The entertainment company stoked the fury of the North Korean government over its production of “The Interview,” a controversial comedy in which two American men attempted to kill North Korean leader Kim Jong Un.

Lazarus Group is also believed to be behind the WannaCry attacks that caused major disruptions and affected institutions across the globe.

The researchers said they do not believe the Lazarus Group is behind the recently reported North Korean attacks against the Pyeongchang Olympics, stating that the techniques used for these recent cyber operations do not match the Lazarus Group's typical techniques.

Recorded Future said the attacks continued in the lead up to Kim’s new year's speech in which he indicated space for dialogue with South Korea, particularly as it relates to the Winter Olympics.

The researchers predicted that in 2018, North Korea will be forced to broaden its list of targets from primarily South Korea to other countries as Seoul “responds to these attempted thefts by increasing security.”

“As South Korean exchanges harden their networks and the government imposes stricter regulatory controls on cryptocurrencies, exchanges and users in other countries should be aware of the increased threat level from North Korean actors,” it warned.

A spokeswoman for Coinlink refuted claims made in the report, maintaining that their cryptocurrency exchange has not been targeted by hackers.

"There are no real attempts to attack our site from North Korea," the spokeswoman for Coinlink said in a statement, adding that emails and passwords stored in Coinlink "have not been hacked at all.”

-- Updated: Thursday, 5:22 a.m.