Cryptocurrency exchanges around the globe seem to be going through a rough patch as just weeks after the Binance hack, the South Korean exchange, UpBit, has fallen prey to a security breach. It is believed with much evidence that North Korean hacking group is responsible for masterminding the hack.
According to the data released by the security firm, East Security, the hacker sent a phishing e-mail on May 28, as part of their cyberattack. In the email the hacker posed as a representative of UpBit, requesting users for more of their information, claiming that the exchange needed it for a customer’s fictional sweepstakes payout. However, it was later discovered that the mail wasn’t sent from UpBit but from another server.
The email also had an attached file which supposedly contained the relevant documents for the payout. East Security later revealed that running that file would initially look like any other normal document but later it would run a malicious code. Which would accumulate and send data regarding user’s machine, private keys as well as logins to the hackers. After that it would connect the machine to a command and control system for later remote access.
The security company believes North Korean hackers are responsible for the clever phishing exploit. East Security’s prime suspect is Kim Soo-ki, the North Korean hacking group.
Furthermore, when the security firm analyzed the malicious codes used in the phishing e-mail, they discovered that they bore a striking resemblance to another attack, called Operation Fake Striker that targeted the Korean government agencies.
Mun Jong-hyun, head of the ESRC Center at East Security, also revealed that the hackers had employed the same techniques in an attack earlier in January to target reporters. According to reports, the South Korean government confirmed a similar mass email containing malware, which was sent to journalists who were registered with Seoul’s unification ministry.
The email targeted 77 reporters all of whom had previous contact with the unification ministry. Similar to the UpBit incident, the message from the hacker claimed to be the unification ministry and included a total of three attachments including a compressed zipped file, which, as revealed later by the reports, could have potentially downloaded phishing software.
And as with the UpBit incident, Mun Jong-hyun of East Security believed that the North Koreans were responsible for this as well, even though Baek Tae-hyun, the unification ministry’s spokesman, believed otherwise. However, according the security firm, the malicious codes with names like “freedom.dll”, lead to North Korea as the prime suspect.
The security firm believes that the reason behind the attempted attack on UpBit is because of the rise in Bitcoin prices. According to Mun Jong-hyun:
As Bitcoin prices rise, more and more customers are using exchanges. This means that the number of victims has increased, which means that the possibility of stealing passwords stored in the exchange has increased
Moreover, the hackers cleverly password-protected the malicious file with the word “UPBIT”, rendering the traditional anti-virus tools useless when it came to detecting the malicious code.
Additionally, the security firm claims that there have been no casualties because of the phishing email and they haven’t heard of any reported damages as of yet. Mun Jong-hyun, however, did highlight some caution from the users.
In order to avoid cyber attacks, you should not install or click suspicious files or documents.