North Korean APTs Target Cryptocurrency Startups

BlueNoroff, an alleged North Korean-backed nation-state group, is victimizing small and medium-sized cryptocurrency startups in a campaign called “SnatchCrypto,” according to new research published by the antivirus and cybersecurity firm. kaspersky.

See also: Live webinar | OT Cybersecurity Strategies for Executives

The threat actors, who have ties to the notorious North Korea-linked Lazarus group, are known for targeting financial institutions. In 2016, the group launched an attack on the Bank of Bangladesh that resulted in the theft of $81 million. The attackers installed malware on Bangladesh Bank systems and used it to send fraudulent messages through the SWIFT interbank messaging system (see: Bangladesh Bank Files Lawsuit to Recover Funds After Cyber ​​Theft).

Kaspersky calls the tactics leveraged by the attackers "extensive and dangerous," saying that SnatchCrypto's latest campaign operates through social engineering tactics, such as posing as fake crypto-related companies or major venture capital firms. Attackers then contact people through social networks, typically Twitter or LinkedIn, providing a means to infect the user's device via phishing and ultimately breach the organization's network. say the researchers.

“Cybercriminals chose the startup cryptosphere for a reason: Startups often receive letters or files from unknown sources,” the researchers say, allowing attackers to transfer infected files more easily.

Researchers recently gave a presentation to discuss the attack scenario and experts weighed in on how strong regulations in the crypto space, as well as best security practices and user education, can lessen the chances of these states -nation carry out cyber attacks.

'Strong motivation' to interrupt

Park Seongsu, senior security analyst at Kaspersky's GReAT global research and analysis lab, detailed the research findings in a presentation at the Belgian Cyber ​​Security Center on the investigation of bluenoroff. More than 15 companies and their employees had been affected.

Park says attacks from this ATP group will not abate and actors will continue to create ever-evolving tools "with a strong motivation" to carry out more cybercrime.

Ari Redbord, a former senior US Treasury Department official and ISMG contributor, says that crypto firms are being targeted by cyberattacks of "unprecedented speed and scale." He says groups like BlueNoroff are using digital tools to operate bank robbery networks to fund weapons and other "destabilizing activities."

"In the age of the Internet, a hack meant loss of PII. In the age of cryptocurrencies, a hack could cripple a small business or lead to the loss of a life's savings," says Redbord, who is chief affairs officer. legal and government. at blockchain analytics firm TRM Labs. “The same qualities that make cryptocurrencies such a powerful force for good — decentralized, rapid, cross-border permissionless transfer of value — also make them attractive to illicit actors who want to move funds quickly. However, due to the nature of the blockchain, law enforcement has more visibility than ever before to track and trace transactions."

Michael Fasanello, director of training and regulatory affairs at Blockchain Intelligence Group, says BlueNoroff is exploiting crypto startups because they often don't have the means to implement and fund an aggressive security system with the ability to thwart sophisticated socially engineered threats. .

"Given the lack of overt action by many global regulators, including here in the US, data and security best practices and compliance obligations required of institutions operating in the traditional financial system have yet to be imposed on companies operating in the digital asset space. he says.

Crypto wallet strike

After the attackers managed to trick victims into opening the macro-enabled documents, BlueNoroff uses an arsenal of tools for reconnaissance, says Park. Initially, the actor could spread malware via a document armed with a Windows shortcut file or PowerShell agent, creating a backdoor entry into the system. From there, BlueNoroff can implement other malicious monitoring tools, such as a keylogger or screenshot tool, according to Park.

Threat actors, once they have infiltrated systems, will collect data on the victim for weeks and sometimes months, planning their best available access to crypto wallets, he says.

Park says that threat actors identify if a victim uses a browser extension to manage digital assets, such as MetaMask, to replace the actual wallet by compromising the core JavaScript file within the asset management platform.

Upon launching the attack, the victim will see a notification of a large transaction. In an attempt to bypass the transaction, the attackers will inject logic, which then leads the victim, if they complete the final step and press the "approve" button, to transfer funds directly to the actor's crypto wallet.

'Cyber ​​problem, not a crypto problem'

“The administration has made it clear that ransomware and malware attacks are a cyber problem, not a crypto problem,” says Redbord, adding that it is essential that companies educate employees about related threats, including social engineering, that exploit both network and human vulnerabilities. .

Regulators and law enforcement agencies have provided guidance to combat illicit activities associated with ransomware and other cybercrime, says Redbord.

He cites as an example the guidance from the Office of Foreign Assets Control for the cryptocurrency industry in October and the imposition of sanctions on cryptocurrency exchange platforms, such as Russia-based platforms Suex and Chatex, that facilitate cryptocurrency transactions. ill-gotten gains. Redbord also says that the US Department of Justice has indicted Helix and Bitcoin Fog for money laundering associated with the dark web (see: US Treasury Blacklists Chatex Cryptocurrency Exchange).

“We are likely to see authorities go after this illicit underbelly of the overwhelmingly growing and legal cryptocurrency economy, and we should also expect a focus on working with the private sector to strengthen cyber defenses,” says Redbord.

Blockchain Intelligence Group's Fasanello says that until regulators put in place the right measures, including best practices for identity and access management, while leaving room for innovation, these threats will persist.