North Korean hackers use LinkedIn for cryptocurrency heist, report reveals

'Evidence suggests this is part of an ongoing campaign targeting organisations in over a dozen countries,' researcher warns

Anthony Cuthbertson
Tuesday 25 August 2020 18:52 BST
Comments
LinkedIn is the latest platform for North Korean hackers to initiate cryptocurrency heists, new research suggests
LinkedIn is the latest platform for North Korean hackers to initiate cryptocurrency heists, new research suggests (Getty Images)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Hackers linked to North Korea have used LinkedIn as part of a major heist to steal cryptocurrency, new research has revealed.

The notorious Lazarus Group, which was behind the 2014 cyber attacks on Sony, carried out an attack against a cryptocurrency organisation using a tailored job advert posted to the professional social network.

Researchers at the security firm F-Secure, who uncovered the attack, said it was part of a broader campaign targeting organisations in at least 14 different countries.

“Our research, which included insights from our incident response, managed detection and response, and tactical defence units, found that this attack bears a number of similarities with known Lazarus Group activity, so we’re confident they were behind the incident,” said Matt Lawrence, F-Secure’s director of detection response.

“The evidence also suggests this is part of an ongoing campaign targeting organisations in over a dozen countries, which makes the attribution important.”

Countries caught up in the campaign include the United Kingdom, United States, China, Germany, Russia and South Korea.

The latest attack involved creating a fake job offer tailored to the profile of a system administrator within the target organisation.

The malicious document was part of a phishing attack designed to extract the target's personal information and other private data needed to access their online accounts and ultimately steal bitcoin and other cryptocurrency.

Paul Rockwell, head of trust and safety at LinkedIn, told The Independent: “We actively seek out signs of state-sponsored activity on the platform and quickly take action against bad actors in order to protect our members.

"We enforce our policies, which are very clear: the creation of a fake account or fraudulent activity with an intent to mislead or lie to our members is a violation of our terms of service.”

North Korea has shown a strong interest in cryptocurrency in recent years, as its decentralised and semi-anonymous nature offers a way to bypass crippling economic sanctions, launder money and finance military development.

In 2019, Pyongyang hosted a controversial blockchain and cryptocurrency conference, inviting international experts to speak and attend the event.

Following the conference, one deverloper was arrested and charged with conspiracy to violate the International Emergency Economic Powers Act.

F-Secure warned that attacks on cryptocurrency firms will likely continue, as well as other crypto-related attacks.

"Lazarus Group's activities are a continuous threat: the phishing campaign associated with this attack has been observed continuing into 2020, raising the need for awareness and ongoing vigilance among organisations operating in the targeted verticals," F-Secure's report concluded.

"It is F-Secure's assessment that the group will continue to target organisations within the cryptocurrency vertical while it remains such a profitable pursuit."

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in