SEOUL, Jan. 25 (BP) — North Korean hackers are displaying a “startup mentality” as they experiment with new methods to pull off cryptocurrency heists, a report by cybersecurity firm Proofpoint said Wednesday.
The Sunnyvale, California-based firm said that a group they identify as TA444, which overlaps with infamous hacker collective Lazarus, launched a massive wave of phishing attacks in December targeting the financial, education, government and healthcare sectors in the United States and Canada.
The group’s emails used approaches that differed from tactics researchers had previously associated with them, including efforts to gain users’ passwords and login information.
“This sprawling credential harvesting activity is a deviation from normal TA444 campaigns, which typically involve the direct deployment of malware,” the report said.
The hackers used email marketing tools to help avoid phishing filters and created content such as job offers and salary adjustments to lure targets. They also relied on social media networking service LinkedIn to engage with victims before delivering links to malware, the researchers said.
Proofpoint said the December spam wave nearly doubled the volume of emails sent by the group for the entire year.
Greg Lesnewich, senior threat researcher at Proofpoint, said in an email that TA444 has a “startup mentality” and is “testing a variety of infection chains to help expand its revenue streams.”
“This threat actor rapidly ideates new attack methods while embracing social media as part of their M.O.,” he said. “TA444 spearheads North Korea’s cashflow generation for the regime by bringing in launderable funds.”
North Korea remains under heavy international sanctions and has increasingly turned to cybercrime in an effort to finance its illicit weapons program.
The Pyongyang-affiliated Lazarus Group was behind the stunning theft of more than $600 million in cryptocurrency from an online video game network in March, according to the FBI.
On Monday, the FBI also confirmed that the Lazarus Group was responsible for a $100 million heist in June of Horizon Bridge, a crypto transfer service operated by U.S.-based Harmony blockchain.
South Korea’s National Intelligence Service said last month that North Korea had stolen cryptocurrency assets worth $1.2 billion globally since 2017, with the majority of it coming in 2022.
The spy agency warned that Pyongyang was expected to step up its efforts this year to steal sensitive intelligence and defense technology from the South.