On April 18, 2022, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Department of Treasury issued a joint Cybersecurity Advisory to highlight the cyber threat associated with crypto thefts and the tactics used by a North Korean state-sponsored advanced persistent threat (APT) group. The advisory states that the APT group is commonly tracked by the cybersecurity industry as Lazarus Group, APT38, BlueNoroff, and Stardust Chollima.
APT groups are adversaries that possess sophisticated levels of expertise and significant resources, which allow them to achieve their objectives by using multiple attack vectors including cyber, physical, and deception. These objectives typically include establishing and extending footholds within the IT infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, or a software program.
This cybersecurity alert may have been issued in response to the $568 million Ronin Network Exploit. Recently, the Office of Foreign Assets Control (OFAC) added an Ethereum wallet address: 0x098B716B8Aaf21512996dC57EB0615e2383E2f96 associated with the Lazarus Group to its sanctions list. This sanctioned address contains funds stolen from the Ronin Network hack. Over the years, Lazarus Group has been associated with several major cyberattacks, including the 2014 hack on Sony Pictures and the 2017 WannaCry ransomware attacks. OFAC first imposed sanctions on the Lazarus Group and two of its sub-groups BlueNoroff and Andariel in September 2019.
In the advisory, the U.S. agencies noted that the North Korean cyber actors have been targeting a wide range of crypto and blockchain companies, including crypto exchanges, decentralized finance (DeFi) protocols, crypto trading companies as well as holders of large amounts of crypto and non-fungible tokens (NFTs) among others.
The agencies explained that cybersecurity attackers utilize social engineering techniques to lure victims into downloading malware. Using various communication platforms, cyber actors may dupe victims into downloading trojanized crypto applications on Windows or macOS operating systems. A Trojan is a type of malware that downloads onto a computer system disguised as a legitimate program. The delivery method typically gets hidden as an attachment in an email or a free-to-download file and then transfers onto the users’ device. Once downloaded, the malicious code will execute the task that the attacker has designed it for, such as, gaining backdoor access to corporate systems or stealing sensitive data.
In the cryptosphere, “a cyber actor may try to propagate malware across the victim’s network environment, steal private keys or exploit other security gaps," the agencies warned. The agencies further added that these activities enable additional follow-on activities that initiate fraudulent blockchain transactions.
Moreover, the alert also highlighted that as of April 2022, the Lazarus Group has also been using spearphishing campaigns and malware to steal crypto assets. In a spearphishing attack, cyber actors target specific individuals with customized messaging to trick them into revealing sensitive information. In the crypto industry, attackers send phishing emails and text messages purporting to be hardware wallet providers like Trezor or crypto exchanges in an attempt to induce recipients to update their seed phrase or change their password. After the attackers steal the log-in credentials, they drain the recipient’s wallet.
Further, cyber intrusions in the crypto industry also begin with a large number of spearphishing messages being sent to employees of crypto companies, more often than not, these employees work in system administration or software development/IT operations. The messages often mimic a recruitment effort to entice the recipients to download malware-laced crypto applications, which the U.S. government refers to as the TraderTraitor.
TraderTraitor’s malicious applications can be original, but they can also borrow code from open-source projects, claiming to be crypto trading or price prediction tools. TraderTraitor campaigns feature websites with modern designs advertising the alleged features of the applications.
These malicious applications contain functions designed to fetch and run a payload that is an updated variant of the Manuscrypt RAT, which targets Windows and macOS, or a custom remote access trojan tool (RAT) capable of harvesting system information. Once the payload is deployed, cybercriminals can execute commands and send additional malware. According to CISA ‘s Malware Analysis Report, published in July 2021, the Manuscrypt family of malware is used by APT actors to target crypto companies. Manuscrypt is a full-featured RAT capable of running arbitrary commands, performing system reconnaissance, and exfiltrating data.
TraderTraitor crypto apps that have been used by the APT Group
Some of the malicious applications identified in the TraderTraitor crypto attacks include:
- DAFOM: It appears to be a crypto portfolio application.
- TokenAIS: This application purports to help build a portfolio of AI-based crypto trading.
- CryptAIS: Similar to TokenAIS, CryptAIS also advertises that it assists in building a portfolio for AI-based crypto trading.
- AlticGO: It claims to provide real-time crypto pricing and forecasts. This application is only executable on Windows.
- Esilet: Like AlticGo, it also claims to offer live crypto pricing and forecasts.
- CreAI Deck: It purports to be a platform for AI and deep learning.
Mitigative measures that should be put in place by crypto and blockchain companies
Noting that the North Korean state-sponsored cyber actors use a full array of tactics and techniques to exploit computer networks of interest, acquire sensitive crypto-intellectual property, and gain financial assets, the U.S. government recommends implementing the following mitigative measures to protect the critical infrastructure and financial sector organizations in the blockchain and crypto industry:
- Applying defense-in-depth security strategies
Defense-in-depth (DiD) is a cyber security strategy that uses multiple security products and practices to safeguard an organization’s network, web properties, and resources. Under DiD, companies can use network segmentation to separate networks into zones based on roles and requirements. Separate network zones can help prevent lateral movement throughout the organization and limit the attack surface.
- Implementing patch management
Patch management is the process of distributing and applying updates to the software. These patches are often necessary to correct errors like vulnerabilities or bugs in the software. Companies should set up a timely vulnerability and patch management program to mitigate exposure to critical common vulnerabilities and exposures (CVE). Further, internet-facing devices should be monitored for any malevolent logic attacks.
- Enforce credential requirements and multifactor authentication
To reduce the impact of password spraying and other brute force techniques, organizations should ensure that their users change passwords regularly.
- Educate users on social engineering on social media and spearphishing
Companies should conduct user training that educates them on the methods that are used to identify social engineering techniques and create awareness around only opening links and attachments from trusted senders.
- Implement email and domain mitigations
Organizations should implement a robust domain security solution that includes leveraging reputation checks and closely monitoring or blocking newly registered domains (NRDs) in the enterprise traffic. Additionally, they should also disable HTML from being used in emails and scan email attachments. They should also integrate an additional malware scanning interface product in order to combine potentially malicious payloads and send the payload to the primary antivirus product.
- Endpoint protection
To reduce the risk of introducing exposed hosts to critical networks, organizations should ensure that their employees install security suites on their mobile devices to detect and mitigate malware.
- Enforce application security
Implement baseline rule sets, such as NSA’s Limiting Location Data Exposure guidance, to block the execution of unauthorized or malicious programs.
- Be aware of third-party downloads—especially crypto applications
Organizations should make certain that their employees and users always verify file downloads and ensure the source is from a reputable or primary (preferred) vendor and not from third parties.
- Implementing an incident response plan to respond to possible cyber intrusions
The plan should include reporting incidents to both the FBI and CISA—quick reporting can reduce the severity of incidents and provide valuable information to investigators.
Contact information: All organizations should report incidents and anomalous activity to CISA 24/7 Operations Center at firstname.lastname@example.org or (888) 282-0870 and/or to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov
How Merkle Science can help?
With the U.S. law enforcement agencies strengthening their cybersecurity regime and ensuring strict implementation of their guidelines through enforcement actions, blockchain and crypto should proactively put robust compliance and security frameworks in place. Merkle Science’s highly customizable and easy-to-use platform provides near real-time detection of blockchain transactional risks. Our predictive cryptocurrency risk and intelligence platform set the standard for the next generation of financial safeguards and criminal detection. Merkle Science's proprietary Behavioral Rule Engine allows crypto businesses to tailor the tool according to their risk policies based on the recent changes so that businesses may stay ahead of emerging illicit activities and fulfill their local compliance obligations.