In this news:
SummaryNorth Korean hackers set up U.S. firms to target crypto developersSilent Push identifies Lazarus Group behind fake corporate frontsFBI seizes Blocknovas domain linked to malware distribution
DETROIT/LONDON, April 24 (Reuters) - North Korean cyber spies created two businesses in the U.S., in violation of Treasury sanctions, to infect developers working in the cryptocurrency industry with malicious software, according to cybersecurity researchers and documents reviewed by Reuters.
The companies, Blocknovas LLC and Softglide LLC were set up in the states of New Mexico and New York using fake personas and addresses, researchers at Silent Push, a U.S. cybersecurity firm, told Reuters. A third business, Angeloper Agency, is linked to the campaign, but does not appear to be registered in the United States.
Advertisement · Scroll to continue
“This is a rare example of North Korean hackers actually managing to set up legal corporate entities in the U.S. in order to create corporate fronts used to attack unsuspecting job applicants,” said Kasey Best, director of threat intelligence at Silent Push.
The hackers are part of a subgroup within the Lazarus Group, an elite team of North Korean hackers which is part of the Reconnaissance General Bureau, Pyongyang’s main foreign intelligence agency, Silent Push said.
The FBI declined to comment specifically on Blocknovas or Softglide. But on Thursday an FBI seizure notice posted to the website for Blocknovas said the domain was seized “as part of a law enforcement action against North Korean Cyber Actors who utilized this domain to deceive individuals with fake job postings and distribute malware.”
Advertisement · Scroll to continue
Ahead of the seizure FBI officials told Reuters that the bureau continues “to focus on imposing risks and consequences, not only on the DPRK actors themselves, but anybody who is facilitating their ability to conduct these schemes.”
One FBI official said North Korean cyber operations are “perhaps one of the most advanced persistent threats” facing the United States.
North Korea's mission to the United Nations in New York did not immediately respond to a request for comment.
“These attacks utilize fake personas offering job interviews, which lead to sophisticated malware deployments in order to compromise the cryptocurrency wallets of developers, and they also target the developers' passwords and credentials which could be used to further attacks on legitimate businesses,” Best said.
Silent Push was able to confirm multiple victims of the campaign, “specifically via Blocknovas, which is by far the most active of the three front companies,” the researchers said in a report, opens new tab shared with Reuters ahead of publication.
Ad Break Coming Up
NEXT StayNext
OffEnglish
180p288p360p480p540p576p720pHD1080pHDAuto (180p)
About ConnatixV578804
About ConnatixV578804
1/100:00How AI can help to detect oil spills at sea
Continue watchingHow AI can help to detect oil spills at seaafter the adVisit Advertiser websiteGO TO PAGE
Reuters reviewed registration documents for Blocknovas and Softglide filed in New Mexico and New York, respectively. Reuters was unable to locate the persons named in the registration documents.
Blocknovas' registration listed a physical address in Warrenville, South Carolina, that appears on Google Maps to be an empty lot. Softglide appears to have been registered by a small tax office in Buffalo, New York.
The activity represents the continuing evolution in the sprawling North Korean efforts to target the cryptocurrency sectors in a bid to raise cash for the North Korean government.
In addition to stealing foreign currency via hacks, North Korea has dispatched thousands of IT workers overseas to bring in millions to finance Pyongyang's nuclear missile programme, according to the United States, South Korea and the United Nations.
The presence of a North Korean-controlled company, registered by the RGB, in the United States is a violation of Office of Foreign Assets Control sanctions. OFAC is part of the Treasury Department. It also violates United Nations sanctions that prohibit North Korean commercial activity designed to assist the isolated country’s government or military.
The New York Department of State told Reuters it does not comment on companies registered in the state. The New Mexico secretary of state’s office told Reuters in an email on Thursday that the company was registered in the state's online Domestic LLC system. "The filing was in compliance with state statute, using a registered agent, and there would be no way our office would know its connection to North Korea," an office representative said.
The hackers sought to infect applicants for fake jobs with at least three strains of known malware previously linked to North Korean cyber operations. The malware linked to the campaign by Silent Push can be used to steal information, facilitate access to networks and load additional forms of malware.
Reporting by A.J. Vicens in Detroit, and Anton Zverev and James Pearson in London; Additional reporting by Raphael Satter in Washington, Andrew Hay in New Mexico and Michelle Nichols in New York; Editing by Chris Sanders and Daniel Wallis
Purchase Licensing Rights
A.J. VicensThomson ReutersCybersecurity correspondent covering cybercrime, nation-state threats, hacks, leaks and intelligenceJames PearsonThomson ReutersReports on hacks, leaks and digital espionage in Europe. Ten years at Reuters with previous postings in Hanoi as Bureau Chief and Seoul as Korea Correspondent. Author of 'North Korea Confidential', a book about daily life in North Korea.
.png)
