North Korean hackers turn focus to cryptocurrency, point-of-sale systems during holiday season

RiskIQ and Proofpoint's findings reveal not only newly discovered, highly sophisticated tactics and capabilities held by North Korea's Lazarus Group, but they also highlight the internal divisions within it.
Pyongyang, North Korea -- Wikicommons CC2.0

Cybercriminals linked to North Korea appear to be simultaneously targeting point-of-sale (POS) systems as well as cryptocurrency platforms as the annual holiday spike continues in retail stores and the hype surrounding bitcoin surges, according to research by cybersecurity firms Proofpoint and RiskIQ.

Reports by the two companies published late Tuesday shine a light on the ways in which hackers are increasingly developing different types of custom attacks to either steal cryptocurrency or infect computers with so-called “cryptojacking” software. The latter involves the covert installation of malicious computer code into compromised web browsers in order to siphon off processing power, which can in turn be used to mine cryptocurrencies.

The researchers say the hacks in question are connected to the Lazarus Group, the cybersecurity community’s name for North Korea’s premier cybercrime and cyber-espionage organization. Attacks on the financial system are one of the communist regime’s chief sources of funding as it faces global sanctions over its nuclear program.

A newly discovered malware framework identified for the first time by Proofpoint and associated with the activity has been codenamed “PowerRatankba.”


PowerRatankba was reportedly connected to multiple, recent spearphishing campaigns narrowly aimed at individuals with a common interest in trading cryptocurrencies.

Hackers using the platform also relied on compromised websites and fake social media accounts to strategically infect certain systems.

PowerRatankba, according to Proofpoint, is the work of an internal Lazarus Group unit that the research community has separately dubbed “Bluenoroff.” The Bluenoroff subgroup is almost exclusively concentrated on launching and profiting from cybercrime scams, according to prior analysis by Russian cybersecurity firm Kaspersky Lab.

“Cryptocurrencies are rising in value so rapidly that any successful theft can be lucrative,” explained Patrick Wheeler, director of threat intelligence for Proofpoint. “We are seeing, for example, rapid adoption of coinmining malware among crimeware operators while we also see spikes in POS malware traffic around the holidays.”


Danger at the swipe

The researchers also found some evidence that PowerRatankba — a multifaceted modular framework capable of deploying various remote access trojans (RATs) — has spread point-of-sale (POS) malware.

“This appears to be the first publicly documented instance of a state-sponsored actor attacking point-of-sale infrastructure for financial gain,” described Wheeler. “In this case we were also able to extensively document the custom-built tools and procedures that Lazarus group is using to perform cryptocurrency theft.”

POS malware is typically built to exploit vulnerabilities in specially designed software used to support credit or debit card processing machines. In such an attack, the objective is usually to steal customer payment information.

“Having a state-sponsored group turn their sophisticated tools and resources on individuals strictly for financial gain rather than espionage is not only unusual, but raises the stakes considerably for individuals, organizations, and defenders,” described Wheeler.


Experts say the Lazarus Group represents a decentralized, dispersed entity likely comprised of various intermediaries located both inside North Korea and beyond its borders. The New York Times previously reported that some of North Korea’s past hacking operations likely involved a mysterious network of “sleeper cells” based in Southeast Asia, for example.

“We cannot comment on the use of contractors in foreign countries and can only speculate on the purpose of Lazarus’ organization or structure,” Wheeler responded.

RiskIQ and Proofpoint’s findings reveal not only newly discovered, highly sophisticated tactics and capabilities held by the Lazarus Group, but they also further highlight the internal division of labor within it. The group appears to separate its financially motivated operations from some of the more disruptive campaigns attributed to it, including the 2014 attacks on Sony Pictures.

“This presence of subgroups, particularly a financially motivated arm, was well-documented by other researcher, but we see tool differentiation as well as attack hallmarks that suggest the presence of multiple subgroups,” Wheeler said.

He continued, “this research provides a snapshot of the tools and techniques associated with one arm of Lazarus but the full evolution of the group has not been well-documented. That said, their growing focus on financially motivated cybercrime is noteworthy for individuals and defenders alike.”

Latest Podcasts