August 25, 2020

North Korean hacking group behind global cryptocurrency attacks

By Lucy Ingham

Lazarus Group, a hacking organisation that has been linked to North Korea, has been attributed to global cyberattack campaign targeting companies in the cryptocurrency space.

The link has been uncovered by cybersecurity company F-Secure, which found that tools used in a spate of attacks against cryptocurrency companies around the world were almost identical to those previously used in campaigns conducted by Lazarus Group.

F-Secure made the connection despite efforts by the group, which is also known as APT38, to destroy evidence linking to its involvement.

Lazarus Group has been targeting cryptocurrency organisations for several years, conducting a slew of cyberthefts that have been funnelled to the North Korean government, according to a report by the UN Security Council published in March 2019.

North Korean hacking organisation Lazarus Group targeting cryptocurrency companies

In the latest attacks now linked the group, it has been conducting phishing attacks against cryptocurrency-related organisations across a host of countries, including the Netherlands, Singapore, Germany, Japan, the US and the UK. Particular methods included spearphishing via LinkedIn, by sending fake, tailored job offers to targets.

Once the attackers gained entry to organisations’ systems, they used methods to bypass corporate defences, including disabling antivirus software. They also hid evidence of their intrusion, including deleting logs of the malicious tools they used.

LinkedIn provided a statement to Verdict on the platform’s use by the attackers.

“We actively seek out signs of state-sponsored activity on the platform and quickly take action against bad actors in order to protect our members,” said Paul Rockwell, head of trust and safety at LinkedIn.

“We don’t wait on requests, our threat intelligence team removes fake accounts using information we uncover and intelligence from a variety of sources, including government agencies. Our teams utilise a variety of automated technologies, combined with a trained team of reviewers and member reporting, to keep our members safe from all types of bad actors.

“We enforce our policies, which are very clear: the creation of a fake account or fraudulent activity with an intent to mislead or lie to our members is a violation of our terms of service.”

F-Secure has published details of the tactics used by Lazarus Group in a report that is intended to help blue teams working for such organisations to protect against future attacks.

“Our research, which included insights from our incident response, managed detection and response, and tactical defense units, found that this attack bears a number of similarities with known Lazarus Group activity, so we’re confident they were behind the incident,” said Matt Lawrence, director of detection and response at F-Secure.

“The evidence also suggests this is part of an ongoing campaign targeting organisations in over a dozen countries, which makes the attribution important. Companies can use the report to familiarize themselves with this incident, the TTPs, and Lazarus Group in general, to help protect themselves from future attacks.”

Read more: North Korea cryptocurrency scam raised funds for Kim regime