North Korean threat groups steal crypto to pay for hacking
Blockchain and Cryptocurrency, Cryptocurrency Scams, Cyber Warfare / Nation State Attacks
APT43 launders crypto through mining, says Mandiant
Rashmi Ramesh (rashmiramesh_) •
March 28, 2023
North Korean threat actors are stealing cryptocurrency to fund hacking operations under an apparent mandate from Pyongyang to be self-sufficient, threat intelligence firm Mandiant says.
See also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
The firm says in research published Tuesday that it has discovered a group it calls APT43 that launders stolen digital assets through leased cryptocurrency mining services. The group, which overlaps with activity attributed to the North Korean groups Kimsuky or Thallium, is primarily a cyber espionage operation.
“They’re the guys Kim Jong Un goes to after launching a missile to ask, ‘What did the world think about that?'” said Michael Barnhart, a principal analyst at Mandiant. The Google-owned firm says APT43 is a distinct group despite overlapping with other Pyongyang actors, commonalities Mandiant says occur among North Korean hacking groups as “the result of ad hoc cooperation or other limited resource sharing.”
“It’s like a whole new ecosystem now,” said Joe Dobson, principal analyst at Mandiant. Hackers’ reliance on technology such as public blockchains helps track financial activity and differentiate between different threat actors.
Cash-strapped North Korea has famously used cryptocurrency theft to pump up its lagging economy, channeling the money into developing weapons of mass destruction. Government hackers stole $1.7 billion worth of digital assets in 2022 alone, blockchain analytics firm Chainalysis estimates (see: Banner year for North Korean cryptocurrency hacking).
APT43’s sideline in cryptocurrency hacking suggests it has been asked to pay for infrastructure such as server rental through hacking, Mandiant says — a development likely to apply broadly to North Korean hacking groups.
The Kim regime probably expected before 2020 that its hacking groups would pay their own way, but the new coronavirus pandemic likely put threat actors under additional pressure to be self-funding, Barnhart told the Information Security Media Group.
The group launders stolen cryptocurrency by paying for cloud mining services to generate new cryptocurrency that does not have a blockchain history. “For a small fee, the DPRK walks away with untraceable, clean currency to do as they please,” Barnhart said, using the acronym for North Korea’s official name, the Democratic People’s Republic of Korea.
Paying for mining is an “unusual and incredibly clever way” to launder stolen money, Dobson said. “Imagine a robber steals silver bars from a bank, then buys gold with the stolen silver. So while the police are looking for the stolen silver, the bank robber is running around with gold bars,” he said.
The dollar amounts stolen by APT43 are not huge because they don’t need millions of dollars: The group’s focus is not to generate revenue for the regime, but just to run its operations, Dobson said.
“Imagine how much server infrastructure you can rent as a threat actor who doesn’t have to worry about massive amounts of traffic for $10,000. That’s a pretty significant amount of servers, and the hackers are definitely stealing way beyond that,” he said.
Mandiant says the threat group uses PayPal and American Express cards, likely funded through Bitcoin stolen during previous operations, to buy hardware and infrastructure. It has used compromised and proprietary infrastructure to host and deliver malware to targets and collect credentials.
APT43 itself is a “moderately sophisticated technical capability with aggressive social engineering tactics” that specifically targets government agencies and think tanks that focus on geopolitical issues on the Korean Peninsula, Mandiant says.
It deploys spear-phishing campaigns using spoofed domains and email addresses. The operatives pose as reporters and analysts in the think tank to build contact with the victims to gather intelligence, regularly update decoy content and tailor it to the specific target audience.
Barnhart called the group’s technique “low sophistication, high volume.”
It also uses the contact lists of compromised individuals to identify additional spear phishing targets. It uses these stolen credentials to create online personas and set up infrastructure for cyberespionage operations; and directly compromise financial data, personally identifiable information and client data in sectors that also include business services and manufacturing.
During most of 2021, it focused on health-related sectors, which are likely to support North Korean pandemic response efforts, and evidence of how North Korean hacking groups are shifting priorities in response to Pyongyang priorities.