North Korean Threat Groups Steal Crypto to Pay for HackingAPT43 Launders Crypto Through Mining, Says Mandiant
North Korean threat actors are stealing cryptocurrency to fund hacking operations under an apparent mandate from Pyongyang to be self-sufficient, threat intel firm Mandiant says.
The firm says in research published Tuesday that it has spotted a group it dubs APT43 laundering stolen digital assets through rented cryptocurrency mining services. The group, which overlaps with activity attributed to North Korean groups Kimsuky or Thallium, is primarily a cyberespionage operation.
"They're the guys Kim Jong Un goes to after launching a missile to ask: 'What did the world think of that?’" said Michael Barnhart, a Mandiant principal analyst. The Google-owned firm says APT43 is a distinct group despite overlaps with other Pyongyang actors, commonalities Mandiant says occur among North Korean hacking groups as "the result of ad hoc collaborations or other limited resource sharing."
"It's like a whole new ecosystem now," said Joe Dobson, Mandiant principal analyst. Hackers' dependence on technology such as public blockchains helps analysts trace financial activity and distinguish between different threat actors.
Cash-strapped North Korea has famously used cryptocurrency theft to pump up its lagging finances, channeling the money into developing weapons of mass destruction. State hackers stole about $1.7 billion worth of digital assets during 2022 alone, calculates blockchain analysis firm Chainalysis (see: Banner Year for North Korean Cryptocurrency Hacking).
APT43's sideline in cryptocurrency hacking suggests it has been told to pay for infrastructure, such as server rentals, through hacking, Mandiant says - a development that likely applies widely to North Korean hacking groups.
The Kim regime probably expected before 2020 that its hacking groups would pay their own way, but the novel coronavirus pandemic likely put threat actors under additional pressure to be self-financing, Barnhart told Information Security Media Group.
The group launders stolen cryptocurrency by paying for cloud mining services to generate new cryptocurrency that doesn't have a blockchain history. "For a small fee, DPRK walks away with untracked, clean currency to do as they wish," Barnhart said. DPRK is the acronym for North Korea's official name - the Democratic People's Republic of Korea.
Paying for mining is an "unusual and incredibly clever way" of laundering stolen money, said Dobson. "Imagine a robber steals silver bars from a bank and then buys gold with that stolen silver. So while law enforcement is looking for the stolen silver, the bank robber is running around with bars of gold," he said.
The dollar amounts stolen by APT43 are not immense because the group does not need millions of dollars: The group's focus is not to generate revenue for the regime but just to run its operations, Dobson said.
"Imagine how much server infrastructure you can rent as a threat actor who doesn't have to worry about huge amounts of traffic for $10,000. That's a pretty substantial amount of servers, and the hackers are definitely stealing well above that," he said.
Mandiant says the threat group uses PayPal and American Express cards, likely funded through bitcoin stolen during earlier operations, to buy hardware and infrastructure. It has used compromised and self-owned infrastructure to host and deliver malware to targets and collect credentials.
APT43 itself has "moderately sophisticated technical capabilities with aggressive social engineering tactics" that especially target government agencies and think tanks that focus on Korean Peninsula geopolitical issues, Mandiant says.
The group deploys spear-phishing campaigns using spoofed domains and email addresses. Its operators pose as reporters and think tank analysts to build rapport with victims to gather intelligence and regularly update lure content and tailor it to the specific target audience.
Barnhart called the group's technique "low sophistication, high volume."
APT43 also uses the contact lists of compromised individuals to identify additional targets for spear-phishing. It uses these stolen credentials to create online personae and set up infrastructure for cyberespionage operations and to directly compromise financial data, personal identifying information and client data in sectors including business services and manufacturing.
During most of 2021, APT43 focused on health-related sectors, likely to support North Korean pandemic response efforts, providing evidence of how North Korean hacking groups shift priorities in response to Pyongyang's top issues.