Your Yello Ring Road To Success
GOOGLE LOGIN MY ADS MY SHOP

Researchers Link CryptoCore Attacks On Cryptocurrency Exchanges to North Korea

State-sponsored hackers affiliated with North Korea have been
behind a slew of attacks on cryptocurrency exchanges[1] over the past three
years, new evidence has revealed.

Attributing the attack with “medium-high” likelihood to the
Lazarus Group (aka APT38 or Hidden Cobra), researchers from Israeli
cybersecurity firm ClearSky said the campaign, dubbed
CryptoCore,” targeted crypto exchanges in Israel, Japan,
Europe, and the U.S., resulting in the theft of millions of dollars
worth of virtual currencies.

password auditor

The findings[2]
are a consequence of piecing together artifacts from a series of
isolated but similar reports detailed by F-Secure[3], Japanese CERT JPCERT/CC[4], and NTT Security[5]
over the past few months.

Since emerging on the scene in 2009, Hidden Cobra[6]
actors have used their offensive cyber capabilities to carry out
espionage and cyber cryptocurrency heists against businesses and
critical infrastructure. The adversary’s targeting aligns with
North Korean economic and geopolitical interests, which are
primarily motivated by financial gain as a means to circumvent international
sanctions[7]. In recent years,
Lazarus Group has further expanded its attacks to target the
defense and aerospace[8]
industries.

CryptoCore, also called CryptoMimic, Dangerous
Password[9], CageyChameleon, and
Leery Turtle[10], is no different from
other Lazarus Group operations in that it’s primarily focused on
the theft of cryptocurrency wallets.

Believed to have commenced in 2018, the campaign’s modus
operandi involves leveraging spear-phishing as an intrusion route
to get hold of the victim’s password manager account, using it to
plunder the wallet keys and transfer the currencies to an
attacker-owned wallet.

The group is said to have stolen an estimated $200 million,
according to a ClearSky report[11] published in June 2020,
which linked CryptoCore to five victims located in the U.S., Japan,
and the Middle East. In connecting the dots, the latest research
shows that the operations have been more widespread than previously
documented, while simultaneously evolving several parts of its
attack vector.

A comparison of the indicators of compromise (IoCs) from the
four public disclosures not only found enough behavioral and
code-level overlaps, but has also raised the possibility that each
of the reports touched upon different aspects of what appears to be
a large-scale attack.

In addition, ClearSky said it reaffirmed the attribution by
comparing the malware deployed in the CryptoCore campaign to other
Lazarus campaigns and found strong similarities.

“This group has successfully hacked into numerous companies and
organizations around the world for many years,” ClearSky
researchers said. “Until recently this group was not known to
attack Israeli targets.”

References

  1. ^
    cryptocurrency exchanges
    (thehackernews.com)
  2. ^
    findings
    (www.clearskysec.com)
  3. ^
    F-Secure
    (labs.f-secure.com)
  4. ^
    JPCERT/CC
    (blogs.jpcert.or.jp)
  5. ^
    NTT
    Security     (insight-jp.nttsecurity.com)
  6. ^
    Hidden
    Cobra     (thehackernews.com)
  7. ^
    circumvent international sanctions
    (thehackernews.com)
  8. ^
    defense
    and aerospace     (thehackernews.com)
  9. ^
    Dangerous Password
    (www.secrss.com)
  10. ^
    Leery
    Turtle     (cyberstruggle.org)
  11. ^
    ClearSky report
    (www.clearskysec.com)

Read more