Suspected North Korean cyber group seeks to woo bitcoin job seekers
FRANKFURT (Reuters) – The surging price of cryptocurrencies in global markets is catching the eye not just of ordinary retail investors but also a cyber-crime gang with links to the North Korean government, according to cyber researchers tracing the group’s activities.
The Lazarus cyber-crime group is mounting an ongoing scheme to steal the online credentials of bitcoin industry insiders, a report published by researchers at US cybersecurity firm Secureworks’s Counter Threat Unit (CTU) said on Friday.
Cybersecurity firms including Secureworks suspect North Korea to be behind the Lazarus group, which they link to an $81 million cyber heist last year at the Bangladesh central bank and a 2014 attack on Sony’s Hollywood studio.
“Given the current rise in bitcoin prices, CTU suspects that North Korea’s interest in cryptocurrency remains high, and [it] is likely continuing its activities surrounding the cryptocurrency,” Secureworks said in a statement to Reuters.
Prices for the volatile cryptocurrency surged past $10,000 late last month and have continued to race upward toward $20,000. A single bitcoin traded above $17,500 on Friday, up more than 7% on the day and more than 18 times in the year to date.
Secureworks said that as recently as last month it had monitored a targeted email campaign aiming to trick victims into clicking on a compromised link for a job opening for a chief financial officer role at a London cryptocurrency company.
Those who clicked on the hiring link were infected by malicious code from an attached document in the email that installed software to take remote control of a victim’s device, allowing hackers to download further malware or steal data.
This malware shares technical links with former campaigns staged by the mysterious cyber-crime group Lazarus, which Secureworks has labeled “Nickel Academy.” Secureworks did not say whether anyone who received the email actually clicked on the link.
The so-called “spearphishing” attempt appears to have been delivered on October 25, but initial activity was observed by Secureworks researchers dating back to 2016. The researchers believe the efforts to steal credentials are still on-going, they said in a statement.
Recent intrusions into several bitcoin exchanges in South Korea have been tentatively attributed it to North Korea, they said.
Secureworks researchers have found evidence dating back to 2013 of North Korean interest in bitcoin, when multiple user names originating from computers using extremely rare North Korean Internet addresses were found researching bitcoin.
The same Internet addresses were linked to previous North Korean cyberattacks.
A spokeswoman for Secureworks said the company was releasing its preliminary findings now, and a more complete report would be published later.