Threat analysts at Silent Push, a U.S. cybersecurity firm, told Reuters that North Korean cyber spies established two companies in the U.S., Blocknovas LLC and Softglide LLC, using fictitious personas and addresses to infect developers in the cryptocurrency industry with malicious software, in violation of Treasury sanctions. A third firm, Angeloper Agency, is connected to the campaign but does not seem to be registered in the United States.
“This is a rare example of North Korean hackers actually managing to set up legal corporate entities in the U.S. in order to create corporate fronts used to attack unsuspecting job applicants,” noted Kasey Best, director of threat intelligence at Silent Push.
The hackers are members of a subsection inside the Lazarus Group, an elite team of North Korean hackers which is part of the Reconnaissance General Bureau, Pyongyang’s principal foreign intelligence agency, Silent Push added.
Blocknovas and Softglide were not explicitly mentioned by the FBI. On Thursday, however, the FBI submitted a seizure notice on Blocknovas' website, stating that the name was taken "as part of a law enforcement action against North Korean Cyber Actors who utilised this domain to deceive individuals with fake job postings and distribute malware."
FBI sources told Reuters ahead of the seizure that the agency is still "focused on imposing risks and consequences, not only on the DPRK actors themselves, but anybody who is facilitating their ability to conduct these schemes.”
One FBI officer stated that North Korean cyber operations are "perhaps one of the most advanced persistent threats" to the United States. The North Korean delegation to the United Nations in New York did not immediately respond to a request for comment.
“These attacks utilize fake personas offering job interviews, which lead to sophisticated malware deployments in order to compromise the cryptocurrency wallets of developers, and they also target the developers' passwords and credentials which could be used to further attacks on legitimate businesses,” Best stated.
Silent Push was able to authenticate several victims of the operation, "specifically via Blocknovas, which is by far the most active of the three front companies," the researchers stated in their report.