US-based researchers have established a link between a recent hacking operation targeting South Korean cryptocurrency holders and a Pyongyang-based hacker group. The hacker group, known as Lazarus, is the same outfit thought to have carried out the WannaCry attack and the high-profile assault against Sony Pictures Entertainment.
Lazarus is believed to be at the heart of a state-sponsored hacking offensive, which has targeted financial institutions in order to raise funds for the cash-strapped North Korean government. It is known as Hidden Cobra by the US government, and has also launched attacks on US and South Korean websites.
“This late 2017 campaign is a continuation of North Korea’s interest in cryptocurrency, which we now know encompasses a broad range of activities including mining, ransomware, and outright theft,” the researchers noted.
The report, written by cyber experts at Recorded Future, outlines how the group used malware to attack users of Coinlink, a popular cryptocurrency exchange based in South Korea. Researchers believe that the attack originates from North Korean owing to similarities in the code utilised and that used in previous operations.
The researchers noted that hackers used Chinese terms in their code in an apparent attempt to misdirect any investigations, but that some were inappropriately used. This is a commonly employed trick by Lazarus, which has previously included Russian words in its script.
Researchers emphasised that while the operation had only influenced South Koreans, the same software weakness that was exploited is present is a wide array of internationally-used products. This could potentially leave cryptocurrency holders elsewhere exposed, especially if South Korea responds by elevating security.“As South Korean exchanges harden their networks and the government imposes stricter regulatory controls on cryptocurrencies, exchanges and users in other countries should be aware of the increased threat level from North Korean actors,” they wrote.