North Korean cyber spies created two companies in the United States, violating US treasury sanctions to infect with malicious software developers working in the cryptocurrency industry, according to security researchers and documents analyzed by Reuters.
Companies – blocknovas LLC and Softglide LLC – were created in the states of New Mexico and New York through the use of fake identities and addresses, they told the Reuters Silent Push researchers, a US cyber security company. A third company, Angeloper Agency, is linked to the initiative, but does not seem to be registered in the United States.
“This is a rare example of North Korean hackers, in fact managing to establish legal corporate entities in the US to create used business fronts to attack unsuspecting candidates,” said Kasey Best, Silent Push’s threat intelligence director.
The hackers are part of a subgroup within Lazarus Group, a North Korean hacker team linked to Reconnaissance General Bureau, Pyongyang’s main foreign intelligence agency, Silent Push said.
The FBI refused to comment specifically on blocknovas or softglide. But on Thursday (24), a warning from the FBI published on the blocknovas website stated that the domain had been seized “as part of a police action against North Korean cybercriminals who used this domain to deceive individuals with fake job ads and distribute malware.”
Before the seizure, FBI officials told the Reuters That the department continues to “focus on imposing risks and consequences, not just the RPDC actors themselves (North Korea), but to anyone who is facilitating their ability to conduct these schemes.”
Continues after advertising
An FBI official said North Korean cyber operations are “perhaps one of the most advanced persistent threats” faced by the US.
North Korea’s mission in the United Nations in New York did not immediately respond to a commentary request.
“These attacks use fake personas by offering job interviews, which leads to the implementation of sophisticated malware to compromise developer cryptocurrency portfolios. They also target developer passwords and credentials, which can be used for later attacks on legitimate companies,” said Best.
Continues after advertising
Silent Push was able to confirm several victims, “specifically through BlockNovas, which is by far the most active of the three staff companies,” the researchers said in a report shared with the Reuters before the publication.
Sanction
A Reuters He analyzed BlockNovas and Softglide documents recorded in New Mexico and New York, respectively. The agency was unable to locate the people appointed in the documents.
BlockNovas registration listed a physical address in Warrenville, South Carolina, which appears on Google Maps as a wasteland. Softglide seems to have been recorded by a small accounting office in Buffalo, New York.
Continues after advertising
The activity represents continuous evolution in North Korea’s efforts to reach the cryptocurrency sectors in an attempt to raise funds to the North Korean government.
In addition to stealing foreign currency through Hacks, North Korea has sent thousands of IT professionals abroad to bring millions to fund Pyongyang’s nuclear missile program, according to the United States, South Korea and the United Nations.
The presence of a North Korean controlled company in the United States is a violation of the sanctions of the Foreign Asset Control Office (OFAC). OFAC is part of the Treasury Department. The presence also violates the sanctions of the United Nations that prohibit North Korean commercial activities designed to assist the government or the armed forces of the country.
Continues after advertising
The New York State Department informed the Reuters that does not comment on companies registered in the state. The Office of the Secretary of State of New Mexico informed the Reutersby email on Thursday that the company was registered in the state’s online domestic LLCs system. “The registration was made in accordance with state law, using a registered agent, and there would be no way our office to know of its connection with North Korea,” said one representative of the office.
Hackers sought to infect candidates for fake jobs with at least three known types of malware, linked to North Korean cyber operations. Silent Push campaign malware can be used to steal information, facilitate access to networks and load other forms of malware.
