Experts linked attacks on crypto exchanges with North Korean APT Lazarus
A long-term large-scale campaign aimed at cryptocurrency exchanges around the world may be the work of the Lazarus hacker group, which experts associate with the DPRK government.
This is the conclusion reached by the specialists of the Israeli information security company ClearSky, having analyzed the developments of a number of companies and organizations specializing in cybersecurity that have studied similar attacks.
Last year, ClearSky published a report on a malicious campaign called CryptoCore (aka Dangerous Password and Leery Turtle) targeting cryptocurrency wallets owned by crypto exchanges or their employees. The campaign began in 2018, and over the next three years, criminals managed to steal millions of dollars in cryptocurrency from cryptocurrency exchanges in the United States, Israel, Europe and Japan. The losses from these attacks are estimated at $ 200 million.
At that time, experts believed that a Russian-speaking group or a hacker group from Eastern Europe could be the culprit for the attacks, however, reports from a number of organizations, in particular F-Secure , Japanese CERT JPCERT / CC and NTT Security , released in the past few months, suggest involvement in Lazarus campaigns.
ClearSky experts analyzed the indicators of compromise presented in the reports of the aforementioned organizations and identified a number of coincidences at the code level and in the tactics, techniques and procedures used in the CryptoCore attacks. All of this suggests that the companies analyzed different aspects of the same large-scale operation.
The involvement of Lazarus is also evidenced by the malicious tools used in CryptoCore, in particular, the Trojan for remote access called ntuser.cat, which was previously detected in other attacks by the North Korean group. For more technical details, see the ClearSky report.
Catch up on more articles here
Follow us on Twitter here