북한 국가 후원 사이버 범죄 단체가 OpenAI의 ChatGPT 및 Cursor 등 AI 코딩 도구를 활용해 암호화폐 개발자들을 표적으로 삼아 약 1,200만 달러를 절도하는 대규모 해킹 캠페인을 성공적으로 수행했습니다. 이는 기술적 역량이 부족한 평범한 해커들도 AI 도구를 통해 어떻게 전문적이고 치명적인 공격을 수행할 수 있는지 보여주는 핵심 사례입니다. AI가 악의적인 목적의 해킹 도구로 전락하여 사이버 범죄의 진입 장벽을 크게 낮추고 있다는 점에서 보안 실무자들에게 중요한 경고를 던지고 있습니다.
번역된 본문
AI 해킹 도구의 등장은 누구나 자동화된 도구를 사용해 모든 소프트웨어의 취약점을 파고드는 일종의 디지털 침해 초능력과 같은 것을 가능하게 하는 가까운 미래에 대한 두려움을 불러일으켰습니다. 하지만 현재에도 AI는 해커들의 도구 상자에서 여전히 우려스럽지만 평범한 역할을 하고 있는 것으로 보입니다. 즉, 평범한 해커들이 실력을 끌어올리고 광범위하고 효과적인 멀웨어 캠페인을 수행하도록 돕고 있습니다. 여기에는 수천 명의 피해자를 해킹하여 암호화폐를 훔치는 작업의 거의 모든 부분을 수행하기 위해 AI를 사용하는 것으로 발견된 비교적 숙련되지 않은 북한 사이버 범죄자 그룹 한 팀도 포함됩니다.
수요일, 사이버 보안 기업 익스펠(Expel)은 소규모 암호화폐 런칭, NFT 생성 및 웹3(Web3) 프로젝트를 진행 중인 개발자의 컴퓨터를 표적으로 삼아 2,000대 이상의 컴퓨터에 자격 증명을 훔치는 멀웨어를 설치한 북한 국가 후원 사이버 범죄 작전을 공개했습니다. 익스펠이 '헥사고날로던트(HexagonalRodent)'라고 부르는 이 해커 그룹은 오픈AI(OpenAI), 커서(Cursor), 아니마(Anima) 등 미국 기반 기업의 AI 도구를 사용하여 멀웨어 작성부터 피싱에 사용되는 가짜 기업 웹사이트 구축에 이르기까지 침입 캠페인의 거의 모든 부분을 '바이브 코딩(Vibe coding)'했습니다. 이러한 AI 기반 해킹 덕분에 이 그룹은 3개월 만에 피해자들로부터 최대 1,200만 달러(약 160억 원) 상당의 암호화폐를 훔칠 수 있었습니다.
해당 그룹을 발견한 보안 연구원 마커스 허친스(Marcus Hutchins)는 헥사고날로던트 해킹 캠페인에서 가장 두드러진 점은 정교함이 아니라 AI 도구가 겉보기에 세련되지 않은 그룹이 어떻게 북한 국가의 이익을 위해 수익성 높은 도난을 자행할 수 있었는지 보여준다는 것이라고 말했습니다. 과거 북한 해커들이 만든 워너크라이(WannaCry) 랜섬웨어 웜을 무력화시켜 사이버 보안 커뮤니티에서 유명해진 허친스는 "이 운영자들은 코드를 작성할 기술도, 인프라를 구축할 기술도 없다. AI가 실제로 그들이 다른 방식으로는 절대 할 수 없었던 일들을 가능하게 하고 있다"고 말했습니다.
이모지가 넘쳐나는 AI 작성 코드
헥사고날로던트의 해킹 작전은 테크 기업의 허위 채용 제안으로 암호화폐 개발자를 속이는 데 중점을 두었으며, AI 웹 디자인 도구로 제작된 가짜 채용 기업을 위한 전체 웹사이트를 만드는 수준까지 이르렀습니다. 결국 피해자는 테스트의 일환으로 코딩 과제를 다운로드하고 완료해야 한다고 통보받았는데, 이 과제는 해커들이 멀웨어에 감염시킨 것으로, 컴퓨터를 침투해 자격 증명(일부의 경우 암호화폐 지갑을 제어하는 키에 대한 액세스 권한을 부여할 수 있는 것 포함)을 훔쳤습니다.
해킹 작전의 이러한 부분들은 잘 다듬어지고 효과적인 것으로 보였지만, 해커들은 자체 인프라의 일부를 보호하지 않은 채 방치하는 만행을 저질렀고, 오픈AI의 챗GPT(ChatGPT)와 커서(Cursor)를 포함한 도구로 멀웨어를 작성하는 데 사용한 프롬프트를 유출했습니다. 또한 피해자 지갑을 추적하는 데이터베이스를 노출했으며, 이를 통해 익스펠은 해커들이 훔쳤을 수 있는 암호화폐의 총액을 추정할 수 있었습니다. (이러한 지갑의 총액은 1,200만 달러에 달했지만, 허친스는 일부 지갑이 하드웨어 보안 토큰으로 보호되었을 수 있다는 점을 고려할 때, 모든 대상에 대해 전체 금액이 이미 지갑에서 인출되었는지 아니면 해커가 여전히 피해자 지갑의 키를 얻어야 했는지 회사가 확인할 수 없었다고 말했습니다.)
허친스는 또한 해커들의 멀웨어 샘플을 분석하고 그것이 대부분, 어쩌면 전적으로 AI로 만들어졌다는 다른 단서들을 발견했습니다. 코드 전체에 영어로 된 주석이 철저하게 달려 있었는데, 멀웨어의 일부 명령 및 제어 서버가 알려진 북한 해킹 작전과 연관되어 있음에도 불구하고 이는 북한인들의 전형적인 코딩 습관이 아닙니다. 멀웨어 코드에는 이모지도 무수히 많이 뒤섞여 있었으며, 허친스는 이것이 소프트웨어가 AI로 작성되었음을 나타내는 단서가 될 수 있다고 지적했습니다.
Comment Loader Save Story Save this story Comment Loader Save Story Save this story The advent of AI hacking tools has raised fears of a near future in which anyone can use automated tools to dig up exploitable vulnerabilities in any piece of software , like a kind of digital intrusion superpower. Here in the present, however, AI seems to be playing a more mundane, if still concerning, role in hackers’ toolkit: It’s helping mediocre hackers level up and carry out broad, effective malware campaigns. That includes one group of relatively unskilled North Korean cybercriminals who’ve been discovered using AI to carry out virtually every part of an operation that hacked thousands of victims to steal their cryptocurrency. On Wednesday, cybersecurity firm Expel revealed what it describes as a North Korean state-sponsored cybercrime operation that installed credential-stealing malware on more than 2,000 computers, specifically targeting the machines of developers working on small cryptocurrency launches, NFT creation, and Web3 projects. By using the AI tools of US-based companies, including those of OpenAI, Cursor, and Anima, the hacker group—which Expel calls HexagonalRodent—“ vibe coded ” almost every part of its intrusion campaign, from writing their malware to building the fake websites of companies used in its phishing schemes. That AI-enabled hacking allowed the group to steal as much as $12 million in cryptocurrency from victims in three months. What’s most striking about the HexagonalRodent hacking campaign isn’t its sophistication, says Marcus Hutchins, the security researcher who discovered the group, but rather how AI tools allowed an apparently unsophisticated group to carry out a profitable theft spree in the service of the North Korean state. “These operators don't have the skills to write code. They don't have the skills to set up infrastructure. AI is actually enabling them to do things that they otherwise just would not be able to do,” says Hutchins, who became well-known in the cybersecurity community after disabling the WannaCry ransomware worm created by North Korean hackers. Emoji-Littered, AI-Written Code HexagonalRodent’s hacking operation focused on tricking crypto developers with fraudulent job offers at tech firms, going so far as to create full websites for the fake companies recruiting the victims, often created with AI web design tools. Eventually, the victim was told they’d have to download and complete a coding assignment as a test—which the hackers had infected with malware that infiltrated their machine and stole credentials, including those that in some cases could grant access to the keys that controlled their crypto wallets. Those parts of the hacking operation appear to have been well-honed and effective, but the hackers were also clumsy enough to leave parts of their own infrastructure unsecured, leaking the prompts they used to write their malware with tools that included OpenAI’s ChatGPT and Cursor. They also exposed a database where they tracked victim wallets, which allowed Expel to estimate the total amount of cryptocurrency the hackers may have stolen. (While those wallets added up to $12 million in total contents, Hutchins says the company couldn’t confirm for each target whether the entire sum had already been drained from the wallets or if the hackers still needed to obtain keys to the victim wallets in some cases, given some may have been protected with hardware security tokens.) Hutchins also analyzed samples of the hackers’ malware and found other clues that it was largely—perhaps entirely—created with AI. It was thoroughly annotated with comments throughout—in English—hardly the typical coding habits of North Koreans, despite the fact that some command-and-control servers for the malware tied them to known North Korean hacking operations. The malware’s code was also littered with emojis, which Hutchins points out can, in some cases, serve as a clue that software was written by a large language model, given that programmers writing on a PC keyboard rather than a phone rarely take the time to insert emojis. “It's a pretty well-documented sign of AI-written code,” Hutchins says. The AI-written code Hutchins analyzed ought to have been detectable with typical “end point detection and response” security tools used in most companies and government agencies, Hutchins says, given that it followed standard patterns of behavior for malware. But Hutchins says HexagonalRodent’s decision to focus on individual victims in its hacking campaign meant many didn’t have those security tools installed. “They found a niche where you actually can get away with completely AI-generated malware,” says Hutchins. Hutchins argues that the HexagonalRodent campaign shows how AI may be an especially useful tool for North Korea, which can easily recruit unskilled IT workers to join its hacker ranks—or more commonly, to infiltrate tech companies while posing as citizens of other countries—but has a far more limited number of capable hackers, given the average North Korean’s lack of access to the internet or even computers. “They have hundreds of people being sent over the border to work in IT operations, and only a few of them really know what they're doing,” Hutchins says. “But then they're able to use generative AI to get a leg up and actually run fairly successful hacking campaigns.” In fact, rather than reduce the number of people involved in the hacking campaign through automation, Hutchins says he’s been able to observe North Korean operations grow in size over time. Expel estimates that as many as 31 individual hackers were involved in HexagonalRodent. “They just keep adding more and more operators,” Hutchins says. “Because they can just hand them access to an AI model, and they can now do things which they would have previously needed a development team to support.” A Hermit Kingdom, Embracing AI The HexagonalRodent activity observed by Hutchins makes up only a small part of North Korea’s sweeping hacking and cybercriminal activity, which can involve vast cryptocurrency theft, ransomware, espionage, fraud, and infiltrating Western organizations through its IT worker schemes. Security researchers have likened North Korea's cyber operations to functioning like a “state-sanctioned crime syndicate,” which ultimately works to fund the nation’s nuclear weaponry, build the country’s infrastructure, and evade international sanctions. Increasingly, and perhaps unsurprisingly, these state-backed programs have been adding generative AI to their hacking and fraud workflows to improve their overall efficiency. Within North Korea, these efforts have reportedly been supported by the creation of Research Center 227, an organization sitting under the military’s Reconnaissance General Bureau that will partly focus on developing AI-focussed hacking tooling . But day-to-day, North Korea’s cyber operators have repeatedly been caught using commercial, off-the-shelf AI tools. “North Korea is using AI as a force multiplier, and it is helping with every aspect—building resumes, building websites, building exploits, testing vulnerabilities—and they're doing it at speed and scale,” says Michael “Barni” Barnhart, a researcher at security firm DTEX, who has tracked the country’s hacking operations for years. North Korean cyber operators have been experimenting and widely using AI for multiple years, Barnhart says. “AI is helping them move faster so that they can weaponize exploits and even help build those exploits,” he explains. “You get little pieces of the puzzle from each of the groups, and then it kind of forms a whole picture of how they're using AI.” For instance, members of North Korea’s IT worker programs have been using AI assistants and face-changing deepfakes to answer questions and change their appearance during fraudulent job interviews. Security researchers at Microsoft have spotted suspected North Korean