UNITED NATIONS – North Korea stole more cryptocurrency assets in 2022 than in any other year and targeted the networks of foreign aerospace and defense companies, according to a currently confidential United Nations report seen by Reuters on Monday.
“(North Korea) used increasingly sophisticated cyber techniques both to gain access to digital networks involved in cyber finance, and to steal information of potential value, including to its weapons programs,” independent sanctions monitors reported to a UN Security Council committee.
The monitors have previously accused North Korea of using cyber attacks to help fund its nuclear and missile programs.
“A higher value of cryptocurrency assets was stolen by DPRK actors in 2022 than in any previous year,” the monitors wrote in their report – submitted to the 15-member council’s North Korea sanctions committee on Friday – citing information from UN member states and cybersecurity firms.
North Korea has previously denied allegations of hacking or other cyberattacks.
The sanctions monitors said South Korea estimated that North Korean-linked hackers stole virtual assets worth $630 million in 2022, while a cybersecurity firm assessed that North Korean cybercrime yielded cybercurrencies worth more than $1 billion.
“The variation in USD value of cryptocurrency in recent months is likely to have affected these estimates, but both show that 2022 was a record-breaking year for DPRK (North Korea) virtual asset theft,” the UN report said.
A US-based blockchain analytics firm last week reached the same conclusion.
The UN report noted: “The techniques used by cyberthreat actors have become more sophisticated, thus making tracking stolen funds more difficult.”
The report is due to be released publicly later this month or early next month, diplomats said.
The monitors said most cyberattacks were carried out by groups controlled by North Korea’s primary intelligence bureau – the Reconnaissance General Bureau. It said those groups included hacking teams tracked by the cybersecurity industry under the names Kimsuky, Lazarus Group and Andariel.
“These actors continued illicitly to target victims to generate revenue and solicit information of value to the DPRK including its weapons programs,” the UN report said.
The sanctions monitors said the groups deployed malware through various methods including phishing. One such campaign targeted employees in organizations across various countries.
“Initial contacts with individuals were made via LinkedIn, and once a level of trust with the targets was established, malicious payloads were delivered through continued communications over WhatsApp,” the UN report said.
It also said that, according to a cybersecurity firm, a North Korean-linked group known as HOlyGhOst had “extorted ransoms from small- and medium-sized companies in several countries by distributing ransomware in a widespread, financially motivated campaign.” – Reuters
