The FBI and the Center for Internet Security (CISA) have released a new study alleging North Korean hackers of attacking the US crypto business. This paper discusses the hack in detail and the reasons why the North Korean government is responsible for the attack on the website.
The CISA tweeted:
With the @FBI, and @USTreasury, we released a new cybersecurity advisory on North Korean state-sponsored activity targeting blockchain technology and the cryptocurrency industry. Read the technical guidance and mitigation strategies: https://t.co/Oio478Ouv3 pic.twitter.com/VLa3HUrsPY
— Cybersecurity and Infrastructure Security Agency (@CISAgov) April 18, 2022
“With the @FBI and @USTreasury, we released a new cybersecurity advisory on North Korean state-sponsored activity targeting blockchain technology and the cryptocurrency industry.”
The Full Report
This joint Cybersecurity Advisory (CSA) is being issued by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the United States Treasury Department (Treasury) to raise awareness of the cyber threat associated with cryptocurrency thefts and tactics used by a North Korean state-sponsored advanced persistent threat (APT) group since at least 2020, according to the report. The Lazarus Group, APT38, BlueNoroff, and Stardust Chollima are some of the names used by the cybersecurity industry to refer to this group.
In recent months, the United States government has observed North Korean cyber actors targeting a wide range of organizations in the blockchain technology and cryptocurrency industries. These organizations include cryptocurrency exchanges, decentralized finance (DeFi) protocols and play-to-earn cryptocurrency video games, cryptocurrency trading companies and venture capital funds investing in cryptocurrency, as well as individuals who own large amounts of cryptocurrency or valuable non-fungible tokens (NFTs).
The behavior detailed in this warning involves the social engineering of victims through the use of a variety of communication platforms in order to persuade them to download trojanized cryptocurrency programs for use on Windows or macOS operating systems, as stated in this advisory.
The cyber actors then use the programs to obtain access to the victim’s computer, spread malware throughout the victim’s network environment, steal private keys, or take advantage of other security flaws in the victim’s network environment. These operations provide the way for more follow-on activities to take place, which in turn facilitate fraudulent blockchain transactions.
There is a thorough report on the technical aspects of the breach, which includes information on the procedure and tools that were utilized by the hackers to exploit the vulnerability. The report says:
“Observed payloads include updated macOS and Windows variants of Manuscript, a custom remote access trojan (RAT) that collects system information and has the ability to execute arbitrary commands and download additional payloads. Post-compromise activity is tailored specifically to the victim’s environment and at times has been completed within a week of the initial intrusion.”