Jonathan Greig
A new study has revealed that North Korean hacker are targeting financial institutions in Japan, Vietnam, the United States and Vietnam.
Recorded Future’s Insikt Group reported the campaign as being linked to APT38. APT38 has been a state-sponsored North Korean group that is known for high profile attacks on cryptocurrency companies.
Researchers discovered six malicious file in the last cluster of domains between September 20,22, and March 20,23. Insikt Group previously reported that TAG-71 was responsible for overlapping activity. This included spoofing domains from financial firms located in Japan and Taiwan as well popular cloud service providers.
The Record from Recorded Future has an independent editorial team.
According to the report, North Korean hacking organizations have an extensive history of attacking cryptocurrency trading sites, banks, and online shopping websites in order to make money.
In response to these campaigns, North Korea will continue its efforts to raise funding for the regime that remains subject to significant international sanctions.
Mitch Haszard is a research analyst at Insikt Group. He noted that the most recent campaign focused primarily around spoofing venture-capital firms. APT38 was previously targeting SWIFT as well cryptocurrency exchanges, he said.
Both are clearly aimed at stealing money. However, spoofing a venture capital firm is something completely new.
According to researchers, hackers in North Korea were using 18 malicious servers for malware delivery by March 2022. In March 2022, hackers used spoofs of cloud services, cryptocurrency trading platforms, and private investments firms to lure potential victims into downloading malicious software or giving their login information.
Targeting investment banking firms and venture capitalists is the goal of this group, who hopes to disclose “sensitive information or confidential material of these companies or their customers which may result in legal or regulator action, jeopardizing business agreements or negotiations that are pending, or disclosing information harmful to strategic investments portfolios.
Insikt Group identified three other IP addresses during an advertising campaign between January and March of 2023.
Many of these domains were linked to document software, including “doc share” and “autoprotect”. Others purported to represent financial institutions with offices in Japan and Vietnam.
Kaspersky researchers connected some of the IP address to another financially motivated hacking organization.
Scientists predict that North Korea hackers will likely continue launching attacks based on financial motives as a consequence of crippling economic sanctions.
