7 million worth of cryptocurrencies STOLEN using Pyeongchang Olympics as a lure

US cybersecurity firm Recorded Future has released a new report. It is linking Lazarus, a North Korean hacking group, to various South Korean cryptocurrency exchange hacking attacks and security breaches.

Recent reporting regarding North Korean attacks against cryptocurrency exchanges and using Pyeongchang Olympics as a lure describe techniques that are unusual for the Lazarus Group. These include leveraging PowerShell, HTA, JavaScript, and Python. None of which are common in Lazarus operations over the last eight years. The campaign we discovered showcases a clear use of Lazarus TTPs to target cryptocurrency exchanges. They also target social institutions in South Korea.

Bithumb is the second largest cryptocurrency exchange in the global market by daily trading volume. In February 2017 it fell victim to a security breach. That led to the loss of around $7 mln of user funds. Mostly in Bitcoin and Ethereum’s native cryptocurrency Ether.

Recorded Future released a report. It noted that they linked the $7 mln Bithumb security breach to North Korean hackers. Insikt Group researchers is a group of cybersecurity researchers that closely track the activities of North Korean hackers regularly. They revealed that Lazarus Group, in particular, has used a wide range of tools to gain access to cryptocurrency wallets and accounts. They used everything from spear phishing attacks to malware distribution through communication platforms.

Insikt Group researchers disclosed that Lazarus Group hackers initiated a massive malware campaign in the fall of 2017. Since then, North Korean hackers have focused on spreading malware by attaching files containing fraudulent software.  That way they gained access to individual devices.

One method Lazarus Group employed was interesting. They used the distribution of Hangul Word Processor (HWP) files through email, the South Korea equivalent of Microsoft Word documents. Those files had malware attached. If any cryptocurrency user downloads the malware, it autonomously installs itself and operates in the background. It is taking control of or manipulating data stored within the specific device.

At the time, local investigators stated that they have found evidence to link the YouBit security breach to North Korean hackers. FireEye senior analyst Luke McNamara also told Bloomberg that similar tools widely utilized by North Korean hackers were employed in the YouBit hacking attack.

“This an adversary that we have been watching become increasingly capable and also brazen in terms of the targets that they are willing to go after. This is really just one prong in a larger strategy that they seem to be employing since at least 2016, where they have been using capability that has been primarily used for espionage to actually steal funds.”