The FBI along with a couple of security and governing agencies have issued a joint Cybersecurity Advisory (CSA) on North Korean state-sponsored activity targeting blockchain technology and the cryptocurrency industry.
North Korean Cyber Actors
In collaboration with the Cybersecurity and Infrastructure Security Agency (CISA) and the US treasury, the Federal Bureau of Investigation has found that the recent occurring cyber threats associated with the cryptocurrency and blockchain industry are linked to North Korean state-sponsored advanced persistent threat (APT).
The recent CSA highlights that the group is commonly tracked by the Cybersecurity industry as Lazarus Group, APT38, BlueNoroff, and Stardust Chollima.
Previous CSA reports tell about how the North Korean government employs malicious cyber activity to collect intelligence, conduct attacks, and generate revenue.
According to the U.S. Office of the Director of National Intelligence 2021 Annual Threat Assessment, “North Korea’s cyber program poses a growing espionage, theft, and attack threat.”
“North Korea has conducted cybertheft against financial institutions and cryptocurrency exchanges worldwide, potentially stealing hundreds of millions of dollars, probably to fund government priorities, such as its nuclear and missile programs.”
The just-released CSA states that the U.S. government has observed North Korean cyber actors targeting a variety of organizations in the blockchain technology and cryptocurrency industry, including cryptocurrency exchanges, decentralized finance (DeFi) protocols, play-to-earn cryptocurrency video games, cryptocurrency trading companies, venture capital funds investing in cryptocurrency, and individual holders of large amounts of cryptocurrency or valuable non-fungible tokens (NFTs).
The behavior detailed under the published advisory was described as including social engineering of victims through a number of communication platforms in order to persuade them to download malicious payload cryptocurrency programs for Windows or macOS.
The cybercriminals then use the programs to get access to the victim’s computer, spread malware throughout the victim’s network, steal private keys, and exploit other security flaws. Further follow-on activities that launch fraudulent blockchain transactions are enabled by these activities.
The CyberSecurity and Infrastructure Security Agency gave a technically detailed update in the advisory on how the attackers identified from North Korea had possibly engineered the malware.
“ The Lazarus Group used AppleJeus trojanized cryptocurrency applications targeting individuals and companies—including cryptocurrency exchanges and financial services companies—through the dissemination of cryptocurrency trading applications that were modified to include malware that facilitates theft of cryptocurrency.
As of April 2022, North Korea’s Lazarus Group actors have targeted various firms, entities, and exchanges in the blockchain and cryptocurrency industry using spearphishing campaigns and malware to steal cryptocurrency. These actors will likely continue exploiting vulnerabilities of cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to support the North Korean regime.”
