North Korean Hackers Leverage Russian IP Infrastructure

North Korean hackers are increasingly leveraging Russian internet infrastructure to conduct a range of online fraud schemes aimed at siphoning funds into the reclusive state. A recent report by Trend Micro outlines the network of cybercriminal activities tied to North Korea, revealing a connection to specific IP addresses linked to an organization in Khabarovsk, Russia, which has a history of collaboration with North Korean entities since the Cold War. Additional activity has been traced to Khasan, a border town adjacent to North Korea, significant for housing the Korea–Russia Friendship Bridge, where a major Russian telecom company installed a fiber-optic cable in 2017.

Trend Micro’s findings indicate that the hackers associated with the Void Dokkaebi intrusion set, also colloquially known as Famous Chollima, utilize Russian IP address ranges concealed by VPNs, proxies, or remote desktop connections. These methods are employed to avoid detection and attribution in their operations. The research points to five key Russian IP ranges underpinning diverse tactics, including social engineering, malware deployment, and cryptocurrency wallet exploitation.

Among the targeted updates in this report is the identification of North Korean hackers behind the recent $1.5 billion theft of Ether cryptocurrency from the exchange Bybit. The funds acquired through these breaches are reportedly funneled to support the North Korean regime’s military ambitions, including the development of nuclear weapons and ballistic missile programs, as well as maintaining the opulent lifestyles of its leadership.

The Void Dokkaebi group often engages in sophisticated social engineering campaigns, deceiving IT job seekers into unwittingly downloading malware under the pretense of job interviews. They have also been known to secure remote IT positions at Western companies, as documented in various investigative reports on insider threats. A detailed analysis reveals that the Russian IP ranges used by these attackers connect to multiple Virtual Private Servers (VPS) worldwide, enabling them to perform various online activities, ranging from interaction with foreign IT professionals to illicit cryptocurrency operations.

The group operates front companies, including one dubbed BlockNovas, which features a polished website and claims a presence on professional networks such as LinkedIn and Upwork. Trickery extends to orchestrating fake job interviews intended to lure developers into interacting with malware disguised as legitimate software. This malware, identified as “BeaverTail” by Palo Alto Networks, acts as a JavaScript-based backdoor hidden within seemingly innocuous code packages.

Research from Trend Micro links BlockNovas directly to the infrastructure utilized by BeaverTail, revealing and tracking the company’s recruitment for senior software engineers targeting professionals from Ukraine as late as December 2024. During supposed interviews, candidates were presented with malware-infused tasks that unwittingly compromised their systems.

In an illustrative case, attackers manipulated a victim’s webcam, claiming a necessary software update, which was ultimately malware dubbed FrostyFerret on macOS and GolangGhost on Windows systems. These infections were linked back to the command-and-control architecture employed by both BeaverTail and other tools within the same operational scheme.

The infrastructure utilized by the attackers is extensive, with Astrill VPN playing a significant role in obfuscating their digital activities across various communication tools. Intrusive connections to remote management platforms and the deployment of credential-cracking software, such as Hashtopolis, were traced back to Internal BlockNovas domains, underscoring the depth of their operational capabilities.

Despite claiming a South Carolina base, BlockNovas lacks any formal corporate registration, with its listed address being an empty parcel of land. The FBI took decisive action on April 23, seizing the domain as part of a coordinated international law enforcement initiative targeting North Korean cyber actors.

This incident exemplifies the multifaceted tactics commonly employed by state-sponsored cybercriminals, particularly in the realm of initial access and subsequent exploitation of compromised systems, as outlined in the MITRE ATT&CK Matrix. Techniques associated with this attack likely include deception for initial access, maintaining persistence through remote access methods, and exploiting elevated privileges to facilitate extensive fraud operations.