According to a United States tech giant on Thursday, North Korean government-linked hackers have focused their efforts on targeting cryptocurrency and financial technology companies in Brazil. Concurrent with these activities, North Korean hacking groups accounted for one-third of all government-backed phishing attacks aimed at the country.
In a blog post on Google Cloud, the tech giant revealed that North Korean threat actors were responsible for one-third of government-sponsored phishing operations aimed at Brazil, the largest economy in South America, from 2020 to the first quarter of 2024. This placed them second, behind China, which accounted for 42%. Overall, cyberespionage groups from more than a dozen countries have conducted campaigns against Brazil over the past four years.
The report, titled “Insights on Cyber Threats Targeting Users and Enterprises in Brazil,” was based on collaborative analysis by Google’s Threat Analysis Group (TAG) and Mandiant, a Google-owned cybersecurity firm headquartered in the U.S.
According to their findings, North Korean state-sponsored hackers have shown a notable interest in digital assets and fintech firms, continuing a trend of global cyberattacks originating from North Korea. The report highlighted that since 2020, at least three North Korean hacking groups have targeted digital assets and fintech firms.
Earlier this year, a group named “PUKCHONG,” a name which closely resembles a northeastern county in North Korea, conducted malicious campaigns targeting virtual currency professionals in Brazil. They masqueraded as a well-known cryptocurrency firm during these attacks.
The attackers approached their victims through social media channels, using job opportunities as bait. They sent a harmless PDF file containing a job description and shared additional benign files with those who responded. However, the latter document included a coding test with a GitHub link. If followed, this link directed victims to download and run malware, enabling the attackers to retrieve desired information.
“These campaigns describe targeting and do not indicate successful compromise or exploitation,” the report clarified.
“One of the emerging trends we are witnessing globally from North Korean threat activity today is the insider threat posed by North Korean nationals gaining employment surreptitiously at corporations to conduct work in various IT roles,” the report stated. “Though we have not yet observed direct connections between any of these North Korean IT workers and Brazilian enterprises, we note the potential for it to present a future risk.”