Hackers tied to the North Korean government are using a mixture of spearphishing and malware to target and rob companies in the cryptocurrency and gaming industries, the U.S. government warned this week.
The alert, issued by the FBI, Department of the Treasury and Cybersecurity and Infrastructure Security Agency, details activity from 2020 ongoing through April 2022 from hackers sponsored by North Korea and behaving similar to Lazarus Group — a catch-all for a mix of government and criminal hacking groups working under the direction or influence of Pyongyang.
“As of April 2022, North Korea’s Lazarus Group actors have targeted various firms, entities, and exchanges in the blockchain and cryptocurrency industry using spearphishing campaigns and malware to steal cryptocurrency,” the agencies warned. “These actors will likely continue exploiting vulnerabilities of cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to support the North Korean regime.”
The campaign targets rank and file employees at cryptocurrency firms — namely system administrators and IT or software developers — through social media and other communications. Threat actors have posed as job recruiters offering high paying gigs, slick-looking websites and links a malware-infected cryptocurrency application. The malware itself is written in JavaScript, built mostly from open source software and can attack both Mac and Windows operating systems.
Last year the Cybersecurity and Infrastructure Security Agency, FBI and Department of Treasury also released a joint advisory and analysis of multiple variants of malware, called AppleJeus, that the North Koreans used as a trojanized version of software designed to impersonate a legitimate cryptocurrency trading company and target Windows and Mac operating systems. The advisory contains technical analysis as well as indicators of compromise that security teams can use to detect the malware.
The new alert “describes a spear-phishing campaign that leverages the hot job market to entice users into downloading malicious cryptocurrency software,” said Tim Erlin, vice president of strategy at TripWire, “We’ve certainly seen attacks focused on cryptocurrency before, and malicious software isn’t new. It’s important that readers understand that this alert isn’t about a new technology, but increased attack activity."
The warning comes a week after FBI officials attributed a $620 million hack and theft of NFT-based video game company Axie Infinity’s Ronin network to Lazarus Group and North Korea. Both U.S. government officials and private sector analysts say the North Korean government relies on hacking and cryptocurrency theft to evade international sanctions and fund priorities like their nuclear weapons program. The country has been behind some of the largest cryptocurrency hacks in recorded history, with no signs of slowing down.
It also follows a spate of lucrative cryptocurrency hacks in recent months as well as high-profile vulnerabilities discovered for blockchain-based companies. A Chainanlysis report earlier this year found that the amount of cryptocurrency transferred from illicit wallets to decentralized finance services spiked 1,964% between 2020 and 2021.
“There is still a huge gap between, in terms of security, between Web2 and Web3 infrastructure. Any small vulnerability can possibly allow cybercriminals to hijack crypto wallets behind the scenes,” said Check Point Products Vulnerabilities Research Head Oded Vanunu last week. “We are still in a state where marketplaces that combine Web3 protocols are lacking from a security perspective. The implications following a crypto hack can be extreme.”