North Korean threat actors are using stolen cryptocurrency to fund their hacking operations, according to research by threat intelligence firm Mandiant. The company has identified a group it calls APT43, which it says launders stolen digital assets through rented cryptocurrency mining services.
The group, which overlaps with activity by North Korean groups Kimsuky or Thallium, is primarily involved in cyber espionage. North Korea has previously used cryptocurrency theft to fund its weapons programme, with state hackers stealing $1.7bn worth of digital assets in 2022 alone, according to blockchain analysis firm Chainalysis.
APT43’s use of cryptocurrency theft to pay for infrastructure indicates that the North Korean regime expects its hackers to be self-financing.
APT43 uses PayPal and American Express cards funded through bitcoin stolen during earlier operations to buy hardware and infrastructure, according to Mandiant. The group deploys spear-phishing campaigns using spoofed domains and email addresses.
Its operators pose as reporters and think tank analysts to build rapport with victims and gather intelligence. APT43 also uses the contact lists of compromised individuals to identify further targets for spear-phishing.
The group has moderately sophisticated technical capabilities and uses aggressive social engineering tactics, particularly targeting government agencies and think tanks focused on Korean Peninsula geopolitical issues.
Michael Barnhart, a principal analyst at Mandiant, said APT43’s technique was “low sophistication, high volume”.
He suggested that the novel coronavirus pandemic may have put pressure on North Korean hackers to be self-financing. The dollar amounts stolen by APT43 are not large, as the group’s focus is to run its operations rather than to generate revenue for the regime.
However, the group’s hacking efforts allow it to rent substantial amounts of server infrastructure for $10,000, Dobson said. During most of 2021, APT43 focused on health-related sectors, likely in response to North Korean pandemic response efforts, providing evidence of how North Korean hacking groups shift priorities in response to the regime’s top issues.