North Korea is funding its nuclear program with cyber espionage and LinkedIn hiring scams
North Korea is using its hackers, attributed as APT38 and APT45, to hack organizations for nuclear and energy secrets and cryptocurrency exchanges.

North Korea is funding its nuclear program ambitions with sophisticated global cyber espionage campaigns, according to research released by cybersecurity firm Mandiant, Recorded Future and the Federal Bureau of Investigation. North Korea-linked advanced persistent threat groups APT45 and APT38 have conducted espionage campaigns since 2009 but have gradually increased the severity of cyberattacks and exploits. The North Korean hackers deploy ransomware to target critical infrastructure, hack global financial institutions and cryptocurrency exchanges. The hackers assume fraudulent identities to infiltrate target organizations, hired for remote positions on LinkedIn or pose as recruiters themselves.

APT45 hack military and defense industry organizations for nuclear and energy research

Mandiant traced activity for APT45 back to 2009 but observed increased attack sophistication targeting military and defense agencies starting in 2017. Of particular interest to the North Korean regime were foreign companies and agencies with specific energy or nuclear capabilities that would be useful to expanding their own nuclear program.

The group began using ransomware in 2017 to hold its victims’ data hostage and demand money in exchange for decryption keys. Interestingly, the funds acquired would be used not only for North Korea’s nuclear ambitions, but other DPRK government initiatives.

APT45 also heavily targeted the global financial sector. In 2016, it targeted the South Korean financial industry, and in 2021, it was attributed to attacking a South Asian financial organization with spear-phishing attacks. Once a victim clicked a malicious link or file, the malware payload would allow the DPRK hackers to hook into victim password managers, or assume digital identities of its victims.

The assessed structure of North Korean cyber programs and the intersection of DPRK APT groups, malware signatures, and government ties. (source: Mandiant)
The assessed structure of North Korean cyber programs and the intersection of DPRK APT groups, malware signatures, and government ties. (image source: Mandiant)

APT38 cryptocurrency exchange hacks net DPRK $600 million

Other advanced persistent threat groups, such as APT38, also add significant funds back to the North Korean regime by hacking cryptocurrency exchanges.

Similar to APT45, APT38 also targets financial institutions. According to the U.S. Department of Health and Human Services (HHS) and CISA, APT38 hacked 16 financial institutions in at least 13 countries since 2014.

Notably, in 2016, APT38 conducted the most significant global bank heist, stealing $81 million from the Bank of Bangladesh. But that pales compared to the Web3 blockchain and cryptocurrency exchange hacks, where APT38 stole over $600 million.

Cryptocurrency exchanges remain ripe for hacks and fraud. Even though cryptocurrency exchanges and coins are not anonymous, it remains an unregulated market with billions in assets hackers are anxious to steal. According to cryptocurrency and blockchain firm Chainalysis, over $12 billion in stolen digital assets have been recorded since 2020.

North Korean hackers posing as IT workers and recruiters on LinkedIn

A fake identity and recruiter, Onder Kayabasi, which was determined by Palo Alto Networks Unit 42 researchers to actually be North Korean hackers part of APT38.
A fake identity and recruiter, Onder Kayabasi, was determined by Palo Alto Networks Unit 42 researchers to actually be a North Korean hacker part of APT38. (image source: Palo Alto Networks Unit 42)

As any good hacker would do, North Korea has taken advantage of remote hiring and recruiting to perform espionage. Remote cyber and tech jobs may be disappearing, but that doesn’t mean it can’t be exploited.

Research by Recorded Future, Mandiant, and Palo Alto Networks Unit 42 found North Korean hackers pose as recruiters on LinkedIn and X, enticing applicants to accept malicious files. The files could be what the recruiters claim to be interview-related or hacking challenges. More robust penetrations involve being hired into targeted companies posing as non-North Koreans using LinkedIn, only to embed themselves into the company’s IT infrastructure and exfiltrate valuable data.

Mandiant analysis on North Korea APT38 and APT42 hacking groups

Mandiant security researcher Michael Barnhart was recently interviewed by CyberScoop Editor-in-Chief Greg Otto on North Korean APT groups, cyber espionage, and LinkedIn IT hiring scams. The podcast is available on their “Safe Mode” episode page and below.


Discover more from Cybersecurity Careers Blog

Subscribe to get the latest posts sent to your email.