North Korean hackers are turning to cloud mining for crypto to avoid police scrutiny

A North Korean espionage unit suspected of impersonating journalists and fake LinkedIn accounts to gather intelligence is using a new way to finance its international hacking operations: renting out cloud-based power to mine for cryptocurrency.

The use of so-called cloud mining to rent processing power for crypto mining appears to be a way for the group to avoid technologies such as mixers, which have come under increased scrutiny from law enforcement, according to a report out today from cybersecurity firm Mandiant, which is part of Google Could. The cloud mining process is a way for the newly identified hacking syndicate, which Mandiant named APT 43, to produce pure bitcoin without blockchain-based connections for law enforcement to trace.

Unlike other North Korean hacking units engaged in cryptocurrency-related cybercrime, researchers at Mandiant believe APT 43 is using the loot to fund its own hacking and cyberespionage activities, not sending it back to the regime for a nuclear weapons program. Instead, the group takes the laundered funds to purchase infrastructure such as website domains to further espionage activities.

“They don’t need $100 million to rent servers to run C2 nodes. They need much smaller quantities, says Joe Dobson, Mandiant Principal Analyst. “We see them targeting everybody. I like to say, ‘There’s no fish too small.’ If someone has funds in their crypto wallet, they will be targeted.”

The group’s operations stand in stark contrast to the massive crypto heists carried out by another North Korean threat actor, the Lazarus Group, which US law enforcement officials accused of stealing $100 million from Harmony’s Horizon bridge last year.

Financially motivated North Korean hackers are also becoming more aggressive, other firms note. Researchers at cybersecurity firm Proofpoint reported an increase in North Korea-related phishing emails from another cluster of state-linked hackers with overlap with the Lazarus group. Dobson says that based on the number of attacks, APT 43 most likely has automated aspects of its campaigns. Mandiant has tracked more than 10 million NFT-related (non-fungible tokens) phishing scams successfully delivered to cryptocurrency users since 2022 – and most of these are linked to APT 43.

“I think overall we’re seeing more clusters of DPRK-related threat activity against crypto,” Dobson said. “They see that they are successful. And so whether that means for monetization or for operational funding, status, they’re going to continue to expand and move more into crypto.”

APT 43’s most common attack method is to use tailored spear-phishing emails to gain access to the victim’s information. The group also uses fake websites designed to steal credentials. Personas based on fake LinkedIn profiles and other platforms have also become a hallmark of North Korean online espionage.

The group leverages stolen data and forged domains to pose as key individuals to gain the trust of its targets, Mandiant said in its report. For example, in one case that researchers observed, an attacker posed as a Voice of America journalist to directly ask an expert for insight into diplomatic relations with North Korea. The hackers have developed methods to trick victims into responding, including replying to their own messages to create the appearance of a conversation.

“We’ve seen a place where they reply to their own messages multiple times, so that anyone they go after thinking they’re late to the party and their guard is down,” says Michael Barnhart, principal analyst at Mandiant at Google Cloud.

As an espionage-assigned unit, APT 43’s targeting shifts in response to regime priorities. For example, during the pandemic, it shifted its focus to healthcare and pharmaceutical-related targeting. By late 2021, however, it has reverted to targeting groups involved in diplomatic relations between North Korea and South Korea and Japan, such as universities and NGOs. In mid-2022, the campaigns shifted to targeting South Korean bloggers and social media users “associated with South Korean affairs, human rights, academic, religion and cryptocurrency.”

APT 43 has also collaborated with other North Korean espionage actors linked to the North Korean government, “underscoring the major role APT43 poles play in the regime’s cyber apparatus,” researchers say.

Barnhart emphasized that APT43’s focus on North Korea’s nuclear weapons program in its espionage operations means that “this is the time to pay attention to this actor.”