North Korea stole a record amount of cryptocurrency assets in 2022 using “increasingly sophisticated” methods, according to a currently confidential report by the United Nations report.
Hackers from the country targeted networks of foreign aerospace and defence companies, the report said.
Independent sanctions monitors said South Korea estimated that North Korean-linked hackers stole virtual assets worth $630 million in 2022. Another cybersecurity firm assessed that North Korean cybercrime yielded cybercurrencies worth more than $1 billion.
“The variation in USD value of cryptocurrency in recent months is likely to have affected these estimates, but both show that 2022 was a record-breaking year for DPRK (North Korea) virtual asset theft,” the UN report said.
US-based blockchain analytics firm Chainalysis last week reached the same conclusion. North Korea-linked hackers such as those in the cybercriminal syndicate Lazarus Group have been by far the most prolific cryptocurrency hackers, stealing an estimated $1.7 billion worth of in multiple attacks last year, the report said.
The Lazarus group has been accused of involvement in the “WannaCry” ransomware attacks, hacking of international banks and customer accounts, and the 2014 cyber-attacks on Sony Pictures Entertainment.
Last May, China and Russia vetoed a US-led push to impose more UN sanctions on North Korea. This included a proposed asset freeze on the Lazarus hacking group.
Phishing through LinkedIn, Whatsapp
“(North Korea) used increasingly sophisticated cyber techniques both to gain access to digital networks involved in cyber finance, and to steal information of potential value, including to its weapons programmes,” the sanctions monitors reported to a UN Security Council committee.
The monitors said most cyber attacks were carried out by groups controlled by North Korea’s primary intelligence bureau – the Reconnaissance General Bureau. It said those groups included hacking teams tracked by the cybersecurity industry under the names Kimsuky, Lazarus Group and Andariel.
“These actors continued illicitly to target victims to generate revenue and solicit information of value to the DPRK including its weapons programmes,” the UN report said.
The sanctions monitors said the groups deployed malware through various methods including phishing. One such campaign targeted employees in organizations across various countries.
“Initial contacts with individuals were made via LinkedIn, and once a level of trust with the targets was established, malicious payloads were delivered through continued communications over WhatsApp,” the UN report said.
It also said that, according to a cybersecurity firm, a North Korean-linked group known as HOlyGhOst had “extorted ransoms from small- and medium-sized companies in several countries by distributing ransomware in a widespread, financially motivated campaign.”
The UN report, submitted to the 15-member council’s North Korea sanctions committee on Friday, cited information from UN member states and cybersecurity firms. It is due to be released publicly later this month or early next month, diplomats said.
- Reuters with additional editing by Vishakha Saxena