Recently, the North Korean cyberattack group, Lazarus, has been launching cyberattacks targeted at stealing cryptocurrencies laundered to North Korea. These attacks have been going on since 2020; more recently, they have alerted the U.S. government, FBI (Federal Bureau of Investigation), and CISA (Cybersecurity and Infrastructure Security Agency). Here’s everything you need to know about the cybersecurity threat.
The Attack By the APT Group
The latest attack scheme launched by the North Korean threat group Lazarus (also known as APT38, BlueNoroff, Stardust Chollima, etc.) targets blockchain users and organizations. Cryptocurrency exchanges, and even NFTs, are activities to which the group is sensitive. Targeting cryptocurrency traders, crypto investors, crypto-based video games, and crypto holders, the group has siphoned large amounts in cryptocurrencies. By April 2022, the group had drained significant amounts of crypto to North Korea.
The Techniques To Be Wary Of
After the Great Resignation, job offers have been one way to attract unsuspecting victims to click on suspicious links. The Lazarus Group also uses this method to lure victims. They send emails to employees of organizations involved in crypto, disguising the attack as an attempt to hire them for high-paying jobs. The employees are then suggested to download a file masquerading as malware, collectively named the TraderTraitor by the U.S. government.
The TraderTraitor is a series of applications and websites that look real but are entirely controlled by cyberattackers. They are designed as a crypto-based application or website that steals the victims’ information to drain money from their accounts. Such threats will require extreme vigilance of the victim so that they do not get lured into the cybercriminals’ almost clear but carefully devised plan.
Some of the malware successfully detected and recognized so far are:
- DAFOM (dafom[.]dev)
- TokenAIS (tokenais[.]com)
- CryptAIS (cryptais[.]com)
- AlticGO (alticgo[.]com)
- Esilet (esilet[.]com), and
- CreAI Deck (creaideck[.]com)
DAFOM is designed to look like a portfolio application for cryptocurrency and previously came with an Apple digital signature issued for the Apple Developer Team W58CYKFH67. This signature gave the application the guarantee of authenticity. There was even a section to file complaints regarding application bugs. Apple revoked the signature, and metadata related to the bug report section previously stored on the GitHub repository has been erased. However, this case is sufficient for anyone to understand how easily victims were lured into the traps and lost money to an application that seemed genuine.
TokenAIS and CryptAIS are designed to create a portfolio concerning AI-based trading for crypto. The cyber attackers carefully develop these apps to store any information you enter.
Defense in The Face of Threat
Although the existence of such advanced phishing strategies can be overwhelming, the FBI, the U.S. government, and CISA have come up with some simple methods to help you steer clear of malicious actors:
- Advanced Defense Strategies: Advanced defense strategies such as using a segmented network to prevent lateral movement limiting attack surface in an organization can help keep information systems secure in the event of a cyber attack.
- Regular Patching of Vulnerabilities: Routine security evaluation of the organization can help identify any threats and vulnerabilities in the organizational systems. These vulnerabilities must then be patched at the earliest.
- Extra Precautionary Steps, Such as MFA: Adopt Multi Factor Authentication (MFA), even for internal tools and applications. The Lazarus Group uses the victim’s credentials, emails, and private business accounts to attack. Routine changes of passwords can also ensure safety.
- Employee Training: Train your employees about cybersecurity hygiene and enforce healthy cyber practices. Some of the standard procedures that the employees can learn are not clicking on links that seem suspicious, not revealing their passwords, and not sharing their MFA codes with others. Regular and updated courses will help both the organization and the individual.
- Email and Domain Awareness: Most phishing attacks are centered around current affairs or emails that might look genuine but be phony. Social engineering attacks can also be themed around social issues that might invoke the victim’s empathy. It is essential to spread awareness that the victim should carefully check the authenticity of the email and website before clicking on the link in such cases.
- Take Care When Downloading Applications and Freeware Software: The applications that the Lazarus Group suggests in their attack are open source. Hence, it is essential to take extra precautions when downloading from third-party stores. Open-source applications that are not published on official app stores and websites that your cyber security system deems harmful might be a gateway for malicious actors to get across the malware.
Final Words
The recent North Korean state-sponsored attack demands high vigilance and awareness levels at the individual as well as the organizational level. Following the guidelines mentioned above should serve as the first line of defense against the majority of the threats that these threat actors post. However, to be on the safer side, anti-phishing and anti-malware tools must also be adopted to protect the interests of your employees and your customers.