North Korean hackers use LinkedIn for cryptocurrency heist, report reveals

'Evidence suggests this is part of an ongoing campaign targeting organisations in over a dozen countries,' researcher warns

Anthony Cuthbertson
Tuesday 25 August 2020 18:52 BST
Comments
LinkedIn is the latest platform for North Korean hackers to initiate cryptocurrency heists, new research suggests
LinkedIn is the latest platform for North Korean hackers to initiate cryptocurrency heists, new research suggests

Hackers linked to North Korea have used LinkedIn as part of a major heist to steal cryptocurrency, new research has revealed.

The notorious Lazarus Group, which was behind the 2014 cyber attacks on Sony, carried out an attack against a cryptocurrency organisation using a tailored job advert posted to the professional social network.

Researchers at the security firm F-Secure, who uncovered the attack, said it was part of a broader campaign targeting organisations in at least 14 different countries.

“Our research, which included insights from our incident response, managed detection and response, and tactical defence units, found that this attack bears a number of similarities with known Lazarus Group activity, so we’re confident they were behind the incident,” said Matt Lawrence, F-Secure’s director of detection response.

“The evidence also suggests this is part of an ongoing campaign targeting organisations in over a dozen countries, which makes the attribution important.”

Countries caught up in the campaign include the United Kingdom, United States, China, Germany, Russia and South Korea.

The latest attack involved creating a fake job offer tailored to the profile of a system administrator within the target organisation.

The malicious document was part of a phishing attack designed to extract the target's personal information and other private data needed to access their online accounts and ultimately steal bitcoin and other cryptocurrency.

Paul Rockwell, head of trust and safety at LinkedIn, told The Independent: “We actively seek out signs of state-sponsored activity on the platform and quickly take action against bad actors in order to protect our members.

"We enforce our policies, which are very clear: the creation of a fake account or fraudulent activity with an intent to mislead or lie to our members is a violation of our terms of service.”

North Korea has shown a strong interest in cryptocurrency in recent years, as its decentralised and semi-anonymous nature offers a way to bypass crippling economic sanctions, launder money and finance military development.

In 2019, Pyongyang hosted a controversial blockchain and cryptocurrency conference, inviting international experts to speak and attend the event.

Following the conference, one deverloper was arrested and charged with conspiracy to violate the International Emergency Economic Powers Act.

F-Secure warned that attacks on cryptocurrency firms will likely continue, as well as other crypto-related attacks.

"Lazarus Group's activities are a continuous threat: the phishing campaign associated with this attack has been observed continuing into 2020, raising the need for awareness and ongoing vigilance among organisations operating in the targeted verticals," F-Secure's report concluded.

"It is F-Secure's assessment that the group will continue to target organisations within the cryptocurrency vertical while it remains such a profitable pursuit."

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in