North Korean Hacking Group Reportedly Carrying Out Massive Spearphishing Campaign
A recently published report indicates that a North Korean hacking group has launched a widespread malicious spearphishing campaign.
It’s the US cybersecurity firm Secureworks that has published the report; the report says that the North Korean cyber threat group Lazarus has launched the attach targeting financial executives of cryptocurrency companies. It’s reported that the campaign is ongoing and is the continuation of an activity that was observed for the first time in 2016. Victims are lured with phishing emails that seem to be about a job opening for the role of CFO in a cryptocurrency company.
The Secureworks press release, dated December 15, 2017, says- “In November 2017, Secureworks Counter Threat Unit™ (CTU) researchers discovered the North Korean cyber threat group, known as Lazarus Group and internally tracked as NICKEL ACADEMY by Secureworks, had launched a malicious spearphishing campaign using the lure of a job opening for the CFO role at a European-based cryptocurrency company. CTU researchers assess this as the continuation of activity first observed in 2016, and it is likely that the campaign is ongoing. This latest round of phishing appears to have been delivered around 25 October 2017.”
The report also discusses North Korea’s interest in bitcoin, which perhaps had been there since 2013. The press release says- “At that time, the North Koreans were using proxies to mask their originating IP address, but occasionally, those proxies failed, and revealed North Korean actors’ true originating IP, which was the same North Korean IP used in previous cyber operations.” Secureworks experts are of the opinion that since bitcoin prices have risen, North Korea has an increased interest in cryptocurrency and hence the North Korean hackers show increasing interest in cryptocurrency-related activities. The inference is that there is North Korea’s threat against cryptocurrency would remain elevated in the near future as well.
There is a detailed explanation in the Secureworks press release on how the phishing thing works. Here’s an excerpt with some relevant details- “Upon opening the word attachment in the phishing email, the victim is presented with a pop-up message encouraging the user to accept the ‘Enable Editing’ and ‘Enable Content’ functions…The email contains a Microsoft Word document with an embedded malicious macro that, when enabled, creates a separate decoy document (the CFO Job Lure), that is shown to the recipient …It then installs a first-stage Remote Access Trojan (RAT) in the background that the malicious document is configured to deliver. Once the RAT is installed on the victim’s computer, the threat actors can download additional malware at any time.”
BTCMANAGER, the web portal that discusses everything pertaining to the bitcoin industry and focuses on Bitcoin, Blockchain, and FinTech news, has published a report based on the Secureworks release. This report also discusses, in brief, about the North Korean hacking group Lazarus. The report says- “Lazarus, the hacking group in question, is suspected of being responsible for several major cybercrime incidents, including the infamous 2014 Sony hack, that was rumored to be spurred by the release of “The Interview,” a film depicting North Korean leader Kim Jong-un.
Given that the average North Korean citizen has no real access to the internet, it has been long speculated that Lazarus maintains deep ties with the North Korean government. Furthermore, it may not be outlandish for them to be colluding, especially since the regime has shown a tendency to spy on other countries, among other clandestine activities.”
Julia Sowells280 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.