North Korean hackers known for cryptocurrency heists are expanding their targets to include education, government and healthcare, according to researchers tracking the group. The activity could be a sign that the group, which is suspected in two high-profile cryptocurrency hacks in 2022, may have even bigger plans for 2023.
Researchers at the cybersecurity firm Proofpoint observed in early December a massive wave of phishing emails from a cluster of North Korea-related hacking activity linked to TA444, the firm’s name for the group. The latest campaign, which blasted more emails than researchers attributed to that group in all of 2022, tried to entice users to click a URL that redirected to a credential harvesting page.
Proofpoint could not disclose the specifics about targets for confidentiality reasons, but most related to finance in some way. Documents attached in the emails included titles like “Profit and Loss,” “Invoice and statement receipts” and “Salary adjustments.” The malicious emails also included lures mentioning “analyses of cryptocurrency blockchains, job opportunities at prestigious firms, or salary adjustments” according to the report. To help avoid phishing detection tools, TA444 uses email marketing tools to engage with targets.
Researchers say that the campaign is unusual for a few reasons. Technically, it deviates from the group’s previous activity in that the hackers focused on trying to steal the target’s login and passwords rather than a direct deployment of malware.