On April 18, the Federal Bureau of Investigation (FBI), the U.S. Treasury Department, and the Cybersecurity and Infrastructure Security Agency (CISA) published a Cybersecurity Advisory (CSA) report concerning malicious North Korean state-sponsored cryptocurrency activity. According to the U.S. government, law enforcement officials have observed North Korean cyber actors targeting specific blockchain companies in the industry.
FBI Alleges North Korean Hacking Activity Is On The Rise, Report Highlights Lazarus Group Activities
The FBI, along with a number of US agencies, released a CSA report titled “North Korean State-Sponsored APT Targets Blockchain Companies”. The report details that the APT (Advanced Persistent Threat) is state-sponsored and active since 2020. The FBI explains that the group is commonly known as the Lazarus Group, and US officials accuse the cyber actors of a certain number of malicious hacking attempts.
North Korean cyber actors target a variety of organizations such as “organizations in the blockchain technology and cryptocurrency industry, including cryptocurrency exchanges, decentralized finance (defi) protocols, play-to-earn cryptocurrency video games, cryptocurrency trading companies, venture capital funds investing in cryptocurrency, and individual holders of large amounts of cryptocurrency or valuable non-fungible tokens (NFTs).”
The FBI’s CSA report follows the recent update from the Office of Foreign Assets Control (OFAC) that accuses the Lazarus Group and North Korean cyber actors of involvement in the Ronin Bridge attack. After the release of the OFAC update, the Ethereum mixing project Tornado Cash revealed that it uses Chainalysis tools and blocks OFAC-sanctioned Ethereum addresses from using the Ethereum mixing protocol.
‘Apple Jesus’ Malware and the ‘TraderTraitor’ Technique
According to the FBI, Lazarus Group leveraged malicious malware called “Apple Jesus,” which trojanizes cryptocurrency companies.
“In April 2022, Lazarus Group actors in North Korea targeted various companies, entities and exchanges in the blockchain and cryptocurrency industry using spear phishing campaigns and malware to steal crypto- currency”, underlines the report of the CSA. “These actors will likely continue to exploit vulnerabilities in cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to support the North Korean regime.”
The FBI says the North Korean hackers utilized massive spearphishing campaigns sent to employees working for crypto firms. Typically the cyber actors would target software developers, IT operators, and Devops employees. The tactic is called “TraderTraitor” and it often mimics “a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications.” The FBI concludes that organizations should report anomalous activity and incidents to the CISA 24/7 Operations Center or visit a local FBI field office.
