North Korean hackers have been utilizing Russian internet infrastructure to carry out online scams and funnel stolen money back to their country, according to a recent report by Trend Micro. The report identified IP addresses in the Russian city of Khabarovsk as being associated with cybercrime activities linked to North Korea. These IP addresses have been used to conduct various illicit activities, including social engineering, malware deployment, and cryptocurrency theft.
One of the hacking groups, known as Void Dokkaebi, also referred to as Famous Chollima, has been using Russian IP addresses to conceal their identity and location, making it difficult for authorities to track and attribute their actions. The hackers use techniques such as VPNs, proxies, and remote desktop protocol sessions to avoid detection. These tactics have allowed them to operate covertly and carry out a range of activities, from luring victims into downloading malware to cracking cryptocurrency wallets.
The stolen funds from these cybercrimes are believed to be funding North Korea’s leaders’ extravagant lifestyles and the country’s development of weapons of mass destruction, including nuclear arms and ballistic missiles. The hackers behind the Void Dokkaebi group have been implicated in a $1.5 billion theft of Ether cryptocurrency from the exchange Bybit earlier this year.
One of the common tactics employed by the hackers is to pose as recruiters and entice IT job seekers into downloading malicious code under the guise of a job interview. They also target remote IT worker positions at Western companies as part of their operations. The hackers use various communication tools such as Skype, Telegram, Discord, and Slack to coordinate their activities and reach out to their targets.
The report also identified a front company called BlockNovas, which serves as a facade for the hackers to lure developers into fake job interviews. The company advertises roles on platforms like LinkedIn and Upwork to attract unsuspecting victims. Once applicants engage in the interview process, they are tricked into downloading malware packages that compromise their systems.
The infrastructure supporting these illicit activities is extensive, with the hackers using tools like Astrill VPN to mask their traffic and remain undetected. The attackers have also been known to upload credential-cracking tools to their internal domains, further aiding in their malicious efforts. Despite attempts to appear legitimate, the facade of BlockNovas was eventually exposed, leading to the seizure of their domain by the FBI.
Overall, the collaboration between North Korean hackers and Russian internet infrastructure highlights the complex and sophisticated nature of cybercrime operations in the digital age. These illicit activities not only pose a threat to individuals and organizations but also have broader geopolitical implications. As law enforcement agencies continue to crack down on these cybercriminals, it underscores the importance of cybersecurity measures and vigilance in protecting against such threats.