North Korean hacking group APT43 found to rely on cryptocurrency crime
A North Korean hacking group called APT43 has been found to be reliant on cryptocurrency, according to a report from the security firm Mandiant on March 28.
APT43 uses cryptocurrency
Mandiant said that although APT43’s main objective is espionage, the group also engages in various types of crime both related and unrelated to crypto.
Mandiant said that APT43 steals user credentials by phishing — that is, by impersonating online services such as crypto exchanges and search engines. For example, APT43 at one point created a malicious app to target Chinese users seeking crypto loans.
Mandiant’s report also said that APT43 uses cryptocurrency services to launder stolen currency. It added that the hacking group also rents cloud mining services in order to obtain cryptocurrency that cannot be linked to its original payment method.
Mandiant said that APT43’s methods are connected to other groups or “clusters.” Crypto-related malware such as PENCILDOWN and LONEJOGGER have been shared in this way.
Who is at risk, and how large is the threat?
Mandiant said that APT43 often targets South Korea, the U.S., Japan, and Europe. The group primarily uses spear-phishing messages to target individuals within organizations. It is not known to exploit zero-day vulnerabilities through direct hacks.
Mandiant’s report does not state how much money APT43 has stolen, either in total or in cryptocurrency. However, Mandiant says that APT43 has stolen enough cryptocurrency to allow it to operate in a self-reliant, self-financing manner.
Though APT43 has only just come to the public’s attention, it has operated for years. Mandiant said that the group has been tracked since 2018. The group largely focused on attacks related to the health sector in 2021 to take advantage of pandemic responses.
Though not all users are necessarily a potential target for APT43, cryptocurrency investors should nevertheless take precautions against scams and fraud in general.