North Korea stole more cryptocurrency assets in 2022 than in any other year and targeted the networks of foreign aerospace and defence companies, according to a currently confidential United Nations report seen by the Reuters news agency.
“[North Korea] used increasingly sophisticated cyber techniques both to gain access to digital networks involved in cyber finance, and to steal information of potential value, including to its weapons programmes,” independent sanctions monitors reported to a UN Security Council committee.
The monitors have previously accused North Korea of using cyberattacks to help fund its nuclear and missile programmes.
“A higher value of cryptocurrency assets was stolen by DPRK [North Korea] actors in 2022 than in any previous year,” the monitors wrote in their report — submitted to the 15-member council’s North Korea sanctions committee on Friday — citing information from UN member states and cybersecurity firms.
North Korea has previously denied allegations of hacking or other cyberattacks.
The sanctions monitors said South Korea estimated that North Korean-linked hackers stole virtual assets worth $630m in 2022, while a cybersecurity firm assessed that North Korean cybercrime yielded cryptocurrencies worth more than $1bn.
“The variation in USD value of cryptocurrency in recent months is likely to have affected these estimates, but both show that 2022 was a record-breaking year for DPRK virtual asset theft,” the UN report said.
A US-based blockchain analytics firm last week reached the same conclusion.
The UN report noted: “The techniques used by cyberthreat actors have become more sophisticated, thus making tracking stolen funds more difficult.”
The report is due to be released publicly later this month or early next month, diplomats said.
The monitors said most cyberattacks were carried out by groups controlled by North Korea’s primary intelligence bureau — the Reconnaissance General Bureau. It said those groups included hacking teams tracked by the cybersecurity industry under the names Kimsuky, Lazarus Group and Andariel.
“These actors continued illicitly to target victims to generate revenue and solicit information of value to the DPRK including its weapons programmes,” the UN report said.
The sanctions monitors said the groups deployed malware through various methods, including phishing. One such campaign targeted employees in organisations across various countries.
“Initial contacts with individuals were made via LinkedIn, and once a level of trust with the targets was established, malicious payloads were delivered through continued communications over WhatsApp,” the UN report said.
It also said that according to a cybersecurity firm, a North Korean-linked group known as HOlyGhOst had “extorted ransoms from small- and medium-sized companies in several countries by distributing ransomware in a widespread, financially motivated campaign.”
In 2019, the UN sanctions monitors reported that North Korea had generated an estimated $2bn over several years for its weapons of mass destruction programmes using widespread and increasingly sophisticated cyberattacks.
In their latest annual report, the monitors also said Pyongyang continued producing nuclear fissile materials at its facilities and launched at least 73 ballistic missiles, including eight intercontinental ballistic missiles, last year.
The United States has long been warning that North Korea is ready to carry out a seventh nuclear test.
North Korea has long been banned from conducting nuclear tests and ballistic missile launches by the Security Council. Since 2006, it has been subject to UN sanctions, which the Security Council has strengthened over the years to target Pyongyang’s nuclear and ballistic missile programmes.
But North Korea has continued illicit imports of refined petroleum and exports of coal, evading sanctions, the monitors said. They also said they have started an investigation into reports of ammunition exports by North Korea.
The US has accused the Russian mercenary company Wagner Group of receiving arms from North Korea to help bolster Russian forces in Ukraine. North Korea has rejected the accusation and Wagner’s owner, Yevgeny Prigozhin, denied getting arms from North Korea.
Last May, China and Russia vetoed a US-led push to impose more UN sanctions on North Korea. This included a proposed asset freeze on the Lazarus hacking group.
The Lazarus group has been accused of involvement in the “WannaCry” ransomware attacks, hacking of international banks and customer accounts, and the 2014 cyberattacks on Sony Pictures Entertainment.
The US linked North Korean hackers in April to the theft of hundreds of millions of dollars’ worth of cryptocurrency tied to the popular online game Axie Infinity. Ronin, a blockchain network that lets users transfer crypto in and out of the game, said digital cash worth almost $615m was stolen on March 2022.