Cryptopeutic – Latest Crypto & Blockchain News
Image default
Bitcoin Korean North

New North Korean APT launders crypto to fund spying programmes

Mandiant has attributed an ongoing campaign of malicious activity to a newly designated APT that is engaged in the acquisition and laundering of cryptocurrency to fund the regime’s espionage activities

By

  • Alex Scroxton,
    Security Editor

Published: 29 Mar 2023 11:52

Threat researchers at Google Cloud’s Mandiant have attributed a campaign of cyber criminal activity out of North Korea to a newly designated advanced persistent threat actor, APT43, in its first official “upgrade” in six months.

Mandiant said APT43 was a prolific threat actor operating on behalf of North Korea’s regime, and like many other groups operating from the impoverished and isolated state, its stock-in-trade is financially motivated cyber crime.

Its researchers have been tracking the group’s activity since 2018, poring over reams of research data and connecting the dots between various incidents, but only now has it gathered enough evidence to be able to make a formal attribution.

APT43’s priorities align with the mission of North Korea’s foreign intelligence unit, the Reconaissance General Bureau (RGB), and its primary focus is the laundering of cryptocurrency to buy operational infrastructure in such a way that it reduces the need for central government to spend much-needed funds. This aligns with the state’s Juche ideology of self-reliance.

Its targeting has heretofore been mainly against targets in South Korea, Japan, Europe and the US in a wide range of sectors, including government, business and manufacturing. Like many other North Korean advanced persistent threats (APTs), it also targets educational and research institutions, and organisations such as political thinktanks that deal in regional geopolitics and especially nuclear policy.

“In Europe, concerns for this group should be focused more on the espionage side than on revenue-generation activities, which have been more common in the US,” said Mandiant principal analyst Michael Barnhart.

“During the pandemic, parts of APT43 had secondary objectives to acquire Covid-19 vaccine-related information in addition to their mandate surrounding strategic nuclear and foreign relations efforts, so we saw them target thinktanks and policy-making organisations, foreign relations entities, and governing bodies in Europe to try to achieve this goal.

“We’ve also seen the group posing as journalists to inquire into matters of intelligence interest to the DPRK regime, targeting European organisations. Some of these information-seeking messages contain no payloads and are simply meant to establish a rapport, but others have malware-laden documents or links in the form of a news questionnaire to send back to the attackers,” said Barnhart.

“We’ve seen APT43 be extremely successful with these fake reporter emails, generating high success rates in eliciting a response from targets. This serves as a reminder to verify the addresses and identities of the people you’re speaking to.”

APT43 deploys phishing emails and social engineering tactics to compromise its victims, and does not seem to be actively interested in zero-day exploits, said Mandiant.

The group has been observed creating numerous spoofed or outright fraudulent personas that it uses in social engineering, and its operatives often present themselves as key individuals in their target area, such as high-profile diplomats or geopolitical analysts.

“We believe North Korea has become increasingly dependent on its cyber capabilities, and APT43’s persistent and continuously developing operations reflect the country’s sustained investment and reliance on groups like APT43”
Mandiant researchers

It uses stolen personally identifiable information (PII) on such individuals to create convincing accounts and domains to fool their targets.

It also creates cover identities for purchasing operational tooling and IT infrastructure for its paymasters.

Where it does use malware, APT43 has been observed using a relatively large toolkit of publicly available tools, including gh0st RAT, QUASARRAT, AMADEY and the LATEOP VisualBasic backdoor, but has also been seen developing its own variants in-house, notably an Android-variant of the PENCILDOWN Windows-based downloader.

Ultimately, APT43’s goal seems to be to use the cryptocurrency it steals to buy hash rental and cloud mining services to provide hash power, which it then uses to mine cryptocurrency to a wallet selected by itself without any blockchain-based association to its original payments. Effectively, it launders cryptocurrency by using stolen funds to create clean funds.

Mandiant said the group was clearly self-supporting and able to fund its own operations, and that barring a drastic change in North Korea’s priorities, or the downfall of its regime, would remain prolific in carrying out espionage campaigns and financially motivated activities in support of its goals.

“We believe North Korea has become increasingly dependent on its cyber capabilities, and APT43’s persistent and continuously developing operations reflect the country’s sustained investment and reliance on groups like APT43,” the research team concluded.

“As demonstrated by the group’s sudden but temporary shift towards healthcare and pharmaceutical-related targeting, APT43 is highly responsive to the demands of Pyongyang’s leadership.

“Although spear-phishing and credential collection against government, military and diplomatic organisations have been core taskings for the group, APT43 ultimately modifies its targeting and tactics, techniques and procedures to suit its sponsors, including carrying out financially motivated cyber crime as needed to support the regime,” they added.

More information on APT43, including indicators of compromise (IoCs), can be downloaded here.

Read more on Hackers and cybercrime prevention

  • Chinese APT using PlugX malware on espionage targets

    By: Alex Scroxton

  • H0lyGh0st ransomware gang faces challenges, but still a threat

    By: Alex Scroxton

  • US doubles bounty on Lazarus cyber crime group to $10m

    By: Alex Scroxton

  • Russia’s Cozy Bear abusing Dropbox, Google Drive to target victims

    By: Alex Scroxton

Read More

Related posts

Best Crypto to Buy Now [April 2023] – Top 15 Coins to Explode 50x

DailyCrypto.news

Tether’s $USDT: A Case Study in Crypto Utility Beyond Investing?

DailyCrypto.news

Shiba Inu Price in Jeopardy as New Rallying Crypto, Tamadoge Looks to Wipe it Out With Explosive New Listing

DailyCrypto.news

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.

Please enter CoinGecko Free Api Key to get this plugin works.