North Korean hackers hijack businesses 'to bridge the gap between rich and poor'


North Korean hackers hijack businesses 'to bridge the gap between rich and poor'
Hackers from North Korea are not new – but disguising yourself as Robin Hood is.

07/18/2022, 20:51

2 min reading time

A previously unknown hacker group calling itself "H0lyGh0st" has been attacking companies since September 2021. On their communication platform in the Darknet, the cyber gangsters pretend to be noble fighters against the injustices of this world.
Security experts from Microsoft warn: A hacker group called "H0lyGh0st" is up to mischief on the Internet. According to the research group, the alleged perpetrators are North Koreans who use tried and tested tools in their attacks.
Accordingly, the hackers usually look for smaller companies as a target and encrypt their data. As proof that only "H0lyGh0st" is able to make the files readable again, the gang sends their victims a sample of a decrypted file that clearly comes from the trove of the attacked.
This is followed by the demand for a ransom in the cryptocurrency Bitcoin and various threats that if the ultimatum is ignored, data – and thus often company secrets – would be posted openly on the internet.
Microsoft writes that "H0lyGh0st" is apparently connected to the hacker gang "Plutonium" (aka DarkSeoul or Andariel), and in some cases even uses their tools.
The "good" hacker demands up to 100,000 euros
The special thing about "H0lyGh0st" is their website in the Darknet. The group uses a rudimentarily cobbled together website as a communication platform for the victims, but also describes itself in a little more detail.
It says: "What are we fighting for? Quite simply: To close the gap between rich and poor. To help poor and starving people. To raise awareness of safety in your company."

Border tourism

What Chinese See When They Stare at North Korea



Chinese tourists in front of watchtower

A look into a very foreign country. When Chinese tourists examine their neighbors on the Yalu River, some of them feel reminded of their own past from 20 or 30 years ago.


The experts only classify this heroic message as a pretext to legitimize the attacks, it is said. There is also no information on the hacker's website about the total amount of the ransom, the group's goals or any donation pots that were filled with the loot in the finest Robin Hood manner. We know from chats that "H0lyGh0st" demands between 1.2 and 5 bitcoins from victims. Converted (18.7.22) so between 25,000 and 100,000 euros.

Advice for companies

As for the true motives behind the attacks, Microsoft isn't sure. On the one hand, it is known that North Korea employs hackers to bring foreign currency into the country and to compensate for financial losses caused by sanctions and the corona pandemic, on the other hand, the hackers could also be private individuals acting in their own interests. The experts lack solid evidence for both theories.
In the following, Microsoft breaks down the components of the "H0lyGh0st" software and how to correctly identify the use of the malware. The in-house virus protection "Defender" has already been updated and enabled it to recognize the gang's blackmail viruses.
The following are general tips on how companies can protect themselves against attacks of this type and what to do in an emergency. A simple software for decrypting affected data is not yet available.



North Korea

Communication platform


Robin Hood

Related Posts

Leave a Reply

%d bloggers like this: