DPRK-aligned threat actor targeting cryptocurrency vertical with global hacking campaign
- F-Secure connects attack on organization working in the cryptocurrency vertical with a global Lazarus Group campaign, in spite of attacker’s efforts to destroy evidence
On August 25th, cyber security provider F-Secure published a report linking an attack against an organization working in the cryptocurrency vertical to Lazarus Group – a highly-skilled, financially-motivated threat actor whose interests reportedly align with the Democratic People’s Republic of Korea (DPRK). By connecting evidence obtained from the attack with existing research, the report concludes the incident was part of a Lazarus Group campaign targeting organizations in the cryptocurrency vertical in the United States, the United Kingdom, the Netherlands, Germany, Singapore, Japan, and other countries.
The tactical intelligence report provides an analysis of samples, logs, and other technical artifacts recovered by F-Secure during an incident response investigation at an organization working in the cryptocurrency vertical.
According to the report, the malicious implants used in the attack were nearly identical to tools reportedly used previously by Lazarus Group – also known as APT38.
The report identifies the Tactics, Techniques, and Procedures (TTPs) used during the attack, such as spearphishing via a service (in this case, using LinkedIn to send a fake job offer tailored to the recipient’s profile). According to F-Secure Director of Detection and Response Matt Lawrence, the research provides a solid foundation for the report’s actionable security advice.
“Our research, which included insights from our incident response, managed detection and response, and tactical defense units, found that this attack bears a number of similarities with known Lazarus Group activity, so we’re confident they were behind the incident,” said Lawrence. “The evidence also suggests this is part of an ongoing campaign targeting organizations in over a dozen countries, which makes the attribution important. Companies can use the report to familiarize themselves with this incident, the TTPs, and Lazarus Group in general, to help protect themselves from future attacks.”
Based on phishing artifacts recovered from Lazarus Group’s attack, F-Secure’s researchers were able to link the incident to a wider, ongoing campaign that’s been running since at least January 2018. According to the report, similar artifacts have been used in campaigns in at least 14 countries: the United States, China, the United Kingdom, Canada, Germany, Russia, South Korea, Argentina, Singapore, Hong Kong, Netherlands, Estonia, Japan, and the Philippines.
Lazarus Group invested significant effort to evade the target organization’s defenses during the attack, such as by disabling anti-virus software on the compromised hosts, and removing evidence of their malicious implants. And while the report describes the attack as sophisticated, it points out Lazarus Group’s efforts to hide their presence were not enough to prevent F-Secure’s investigation from recovering evidence of their activities.
The report, Lazarus Group Campaign Targeting the Cryptocurrency Vertical, contains more information for defenders, including indicators of compromise, a list of TTPs used in the attack, and additional advice for detecting Lazarus Group activity. It is now available on F-Secure Labs.
About F-Secure
Nobody has better visibility into real-life cyber attacks than F-Secure. We’re closing the gap between detection and response, utilizing the unmatched threat intelligence of hundreds of our industry’s best technical consultants, millions of devices running our award-winning software, and ceaseless innovations in artificial intelligence. Top banks, airlines, and enterprises trust our commitment to beating the world’s most potent threats. Together with our network of the top channel partners and over 200 service providers, we’re on a mission to make sure everyone has the enterprise-grade cyber security we all need.
Cryptocurrency is a digital asset designed to work as a medium of exchange wherein individual coin ownership records are stored in a ledger existing in a form of computerized database using strong cryptography to secure transaction records, to control the creation of additional coins, and to verify the transfer of coin ownership. It typically does not exist in physical form (like paper money) and is typically not issued by a central authority.
Cryptocurrencies typically use decentralized control as opposed to centralized digital currency and central banking systems. When a cryptocurrency is minted or created prior to issuance or issued by a single issuer, it is generally considered centralized. When implemented with decentralized control, each cryptocurrency works through distributed ledger technology, typically a blockchain, that serves as a public financial transaction database.
Bitcoin, first released as open-source software in 2009, is the first decentralized cryptocurrency. Since the release of bitcoin, over 6,000 altcoins (alternative variants of bitcoin, or other cryptocurrencies) have been created.
Cryptocurrency is a system that meets six conditions:
- The system does not require a central authority, its state is maintained through distributed consensus.
- The system keeps an overview of cryptocurrency units and their ownership.
- The system defines whether new cryptocurrency units can be created. If new cryptocurrency units can be created, the system defines the circumstances of their origin and how to determine the ownership of these new units.
- Ownership of cryptocurrency units can be proved exclusively cryptographically.
- The system allows transactions to be performed in which ownership of the cryptographic units is changed. A transaction statement can only be issued by an entity proving the current ownership of these units.
- If two different instructions for changing the ownership of the same cryptographic units are simultaneously entered, the system performs at most one of them.
In March 2018, the word cryptocurrency was added to the Merriam-Webster Dictionary. Transaction fees for cryptocurrency depend mainly on the supply of network capacity at the time, versus the demand from the currency holder for a faster transaction.