A group of North Korean hackers that have allegedly made a name for themselves by targeting American-based crypto firms appears to have upped its ante – and is now reportedly targeting Russian and other international defense companies.
Per Kommersant, Anastasia Tikhonova, head of sophisticated threats research at Group-IB, the group, known as Kimsuki (variously Kimsuky), has “taken advantage of the coronavirus pandemic” with spear-phishing attacks conducted via email and social media networks “to obtain confidential information from Russian aerospace and defense companies.”
The same media outlet stated that RT-Inform, the IT security arm of the Russian state-owned tech agency Rostec, “did not confirm or deny” the reports, but did note that there had been an increase in the number of incidents and cyberattacks on the IT networks of the organizations it represented in the period April to September 2020.
Kommersant stated that it believes most of the attacks “were poorly prepared” and “did not pose a significant threat.” But Tikhonova suggested that the hackers may simply be “testing the waters” ahead of “a more serious attack” on Russian firms’ networks.
Tikhonova added that North Korean hackers had also recently launched attacks on a Turkey-based firm, and that it had focused specifically on companies making artillery and armored vehicles based in Russia, Ukraine, Slovakia, Turkey and South Korea.
And an August 2020 UN report alleged that Kimsuki has targeted at least 28 UN officials, including at least 11 senior UN Security Council staff with similar spear-phishing attacks on Gmail accounts.
Earlier this year, Daily NK reported that the Kimsuki-affiliated Lazarus hacking group was stepping up its efforts to hack into crypto exchanges and lift money from crypto wallets as the global economy took a turn for the worse following start of the coronavirus pandemic.
A security expert in South Korea last month told Cryptonews.com that “malicious actors with impeccable Korean language skills are now targeting employees at South Korean financial institutions including crypto exchanges with what look like bona fide job offers.”
Kumsuki, which a number of security experts said targetted a number of American and South Korean crypto firms in the 2018-2019 period, has also been linked to an attack that security firm Ahn Labs said makes use of Microsoft Word documents laced with malicious code – while Lazarus has been using platforms like LinkedIn to spear-phish crypto exchange staff, per an American security firm.