New North Korea Hack: Hijacking Computers to Power Cryptocurrency Mining (w/video)

Cryptocurrency Mining

New cyberattack uses foreign computers to generate Monero and send it to a university in Pyongyang

SEOUL—A cybersecurity researcher has found malware that mines a type of cryptocurrency and routes the bounty to a North Korean university, showing how hackers in North Korea are targeting new assets as sanctions force Pyongyang to pursue alternative income streams.

The malware—deployed on Christmas Eve—instructs an infected computer to mine for Monero, a bitcoin alternative, according to a report released Monday by AlienVault, a U.S. cybersecurity firm. Monero describes itself on its website as a “secure, private and untraceable” form of cryptocurrency where users’ accounts and transactions are shielded from “prying eyes.”

The unearthed funds then automatically flow to a server domain at Kim Il Sung University where to access the funds the hacker would enter a three-letter password: KJU, a likely reference to North Korean leader Kim Jong Un.

It is unclear where the virus was planted or how much Monero was extracted, said Chris Doman, an AlienVault threat engineer who identified the malware from a database of computer viruses amassed by VirusTotal, a subsidiary of Alphabet Inc.’s Google. Because only large organizations automatically upload lots of files to VirusTotal, the malware was likely spotted at a big company, Mr. Doman said, though he is unable to determine how many computers were affected—or if the attack continues.

The Monero community, in a Monday statement from several prominent members, said millions of users “trust Monero to be that currency to conduct safe, private transactions.” But “no currency, digital or fiat, is immune to criminal malfeasance,” according to the statement.

The coding is rudimentary, suggesting more a student project than the work of North Korea’s elite hacking unit known as Lazarus. The malware’s creators hid certain files, suggesting the software wasn’t accidental or a prank, Mr. Doman said.

For instance, the malware installs the Monero miner in a folder that is part of the Microsoft Windows operating system, a typical maneuver for illegitimate software. And it installs with the file name “intelservice.exe,” in an attempt to induce a user to confuse it with a product from Intel Corp. , Mr. Doman said.

“There is some type of subterfuge going on,” Mr. Doman said.

Related Video

North Korea ‘Decoders’ Are Sounding Alarms | Moving Upstream
North Korea boasts about its nuclear weapons program by releasing photos and videos of its missiles. But in them are tiny clues to their true capability. A team of U.S. analysts, working outside the government, shows how they decode these images to determine when North Korea is bluffing – and when it is showing true power. Photo: North Korea State Media

Though direct links with the regime or Lazarus couldn’t be proved, the Monero-mining malware serves as another example of North Korea’s interest in cryptocurrencies, as the rogue nation seeks ways to raise money to offset the effects of tightened economic sanctions. North Korean hackers are suspected of a heist last month of a Seoul-based cryptocurrency exchange, The Wall Street Journal reported in December. That incident followed the WannaCry ransomware attack, which locked digital files and demanded bitcoin payment for their release. North Korea has denied involvement in hacking attacks.

Mr. Kim, the North Korean leader, is believed to have studied at Kim Il Sung University, which is named after his grandfather, the founder of North Korea. The current leader’s father, former dictator Kim Jong Il, attended the university in the 1960s. The university couldn’t be reached for comment about the AlienVault hacking report.

Pyongyang’s hackers in recent months have specifically targeted Monero, cybersecurity researchers say, hunting for the cryptocurrency on compromised banking and private-company servers. Internet usage and computer access is limited in North Korea, pushing the regime’s cryptocurrency-mining endeavors overseas.

There is some type of subterfuge going on.

—Chris Doman

Electronic “mining” is how new units of cryptocurrency, including bitcoin, are released into the world. It requires lots of computing power to generate special numbers that bestow the miner with new coins, but as bitcoin’s value rises, more miners are competing for a finite amount of coins. Hardware and electricity costs can offset income as new bitcoins become scarcer, which is why Mr. Doman said Monero mining tends to be more profitable than bitcoin.

“So running [the Monero-mining software] on someone else’s computer means you don’t have any costs, only profit,” Mr. Doman said.

Bitcoin’s value has risen about 1,600% from a year-ago price of $911.20, according to the tracking site, while Monero has gained some 2,800% from a year-ago value of $13.47.