North Korean threat actors are expected to launch imminent attacks aimed at stealing funds from "organizations with access to large quantities of cryptocurrency-related assets or products," the FBI is warning, adding that the attacks will use particularly deceptive social engineering tactics, including highly personalized targeting that will appear extremely convincing. In the last several months, federal officials have observed various state-sponsored actors from the DPKR conducting research on targets connected to crypto exchange-traded funds (ETFs). The reconnaissance appears to be pre-operational in nature, the agency said in a public service announcement published yesterday.
Impending attacks which may include both crypto theft and the deployment of malware likely will come in stealth form, including as what may appear as innocuous conversations with people who speak English fluently and appear to have an authentic business reason for contact, or job opportunities for employees. Attackers also will likely play the long game, taking the time to cultivate a personal relationship before doing anything malicious, the agency said.
See: https://redskyalliance.org/main/search/search?q=lazarus
North Korean advanced persistent threats (APTs) such as Lazarus and Kimsuky are particularly adept at using social engineering to steal crypto in threat campaigns aimed to gather funds to support the country's nuclear program as well as other endeavors of North Korea's Supreme Leader Kim Jong Un. In fact, the United Nations estimates that North Korean attackers have stolen up to $3 billion in crypto so far in such targeted attacks. In these campaigns, state-sponsored actors convincingly impersonate recruiters and headhunters to target employees of different sectors, and even apply for and sometimes get hired for jobs in US firms to engage in malicious activity.
This fresh wave of attacks may be even more difficult to detect than previous ones, requiring vigilance on the part of the employees of crypto firms to monitor for any even remotely suspicious activity, the FBI said. "Given the scale and persistence of this malicious activity, even those well-versed in cybersecurity practices can be vulnerable to North Korea's determination to compromise networks connected to cryptocurrency assets," according to the warning.
Attackers likely will use variations on three key areas of social engineering even before attackers even attempt to engage in technologically malicious activity, according to the FBI. The idea is to win the trust of employees of crypto firms so they can gain access to accounts, systems, or other assets of their respective companies in a way that does not raise suspicion.
First, they may engage in extensive research to identify specific DeFi or cryptocurrency-related businesses to target, and doing their homework on employees by reviewing their social media activity, particularly as it appears on professional networking or employment-related firms, the agency said. Armed with this info, attackers will move to the Second phase of the ruse, with individualized fake scenarios that leverage "personal details regarding an intended victim’s background, skills, employment, or business interests to craft customized fictional scenarios designed to be uniquely appealing to the targeted person," according to the warning.
These can include offers of new employment or corporate investment that draw on employees' personal details and thus appeal to their interests or emotions, thus setting up a trust relationship that's furthered by prolonged conversations aimed at building a friendly rapport.
A Third tactic used by attackers is to impersonate people that a victim may know personally or indirectly, such as a recruiter on a professional networking website or a prominent person in a related technology field. These impersonations may be accompanied using photos stolen from social media profiles or professional websites. Once the social relationship between the North Korean attacker and victim is solidified, threat actors will then proceed to make requests or offers that eventually lead to the deployment of malware or the theft of cryptocurrency.
These include requests to execute code or download applications on devices with access to a company's internal network, or to conduct a pre-employment test or debugging exercise that involves executing non-standard or unknown Node.js packages, PyPI packages, scripts, or GitHub repositories.
Attackers also may insist on using non-standard or custom software to complete simple tasks easily achievable using common applications, such as video conferencing, to smuggle malware onto an organization's network. They also may request to move professional conversations to other messaging platforms or applications for a similar goal or send links or attachments that conceal malware to targeted employees related to the previously established communication.
Despite the sophistication of the tactics, firms likely to be targeted can take various steps to mitigate their risks, the FBI said. These include developing their own in-house methods to verify a contact's identity using separate unconnected communication platforms (such as a live video call on a different messaging app than the one used by the potential attacker).
Organizations also should be careful not to store information about cryptocurrency wallets such as logins, passwords, wallet IDs, seed phrases, private keys, etc. on Internet-connected devices, where they are vulnerable. And employees should avoid taking pre-employment tests or executing code during any recruitment process on company-owned laptops or devices.
Requiring multiple factors of authentication and approvals from several different unconnected networks prior to moving any financial assets to someone also is a best practice that can help any organization avoid being defrauded by savvy state-sponsored actors, according to the FBI.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. redskyalliance. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
https://www.darkreading.com/threat-intelligence/fbi-north-korean-actors-aggressive-cyberattack-wave
Comments