North Korean government-sponsored cyber syndicates reaped nearly $400 million in digital assets from seven major attacks on cryptocurrency platforms in 2021, a recent report said. The value gained from the attacks spiked by 40 percent from the prior year.
Advanced persistent threat (APT) cyber actors operating for the Democratic People’s Republic of Korea (DPRK) have hit investment firms and centralized exchanges, said researcher Chainalysis in a blog post. Many of the cyber offensives were carried out by the notorious Lazarus group (aka APT38), which is also using its multi-platform (Windows, Linux and MacOS) targeted malware framework (MATA) to conduct cyber espionage in the defense industry.
Since 2018, Lazarus is believed to have stolen and laundered more than $200 million annually in virtual currencies, according to Chainalysis. Of late, the syndicate has reportedly developed the ability to attack supply chains. Such is the threat of supply chain attacks that the Cybersecurity and Infrastructure Agency (CISA) last month released a new framework for government and private sector organizations on how to engage with managed security service providers (MSSPs) and managed service providers (MSPs) to minimize supply risk and improve overall security.
How Crypto Cyberattacks Work
The DPRK crews are deploying phishing, code exploits, malware and social engineering to extract funds from the organizations’ online virtual currency wallets into DPRK-controlled addresses, Chainalysis said. From there the haul is laundered in covert maneuvers to “cover up and cash out,” the analyst wrote.
By Chainalysis’ figures, some 65 percent of DPRK’s stolen funds in 2021 were laundered through mixers, or software tools that “scramble cryptocurrencies from thousands of addresses.” By comparison, in 2020 some 42 percent of pilfered money was run through mixers and 21 percent were rerouted in 2019. Based on that precipitous increase in laundering activity in the space of only two years, it appears that the DPRK’s hackers have “taken a more cautious approach,” the company said.
Lazarus has been among the world’s most active cyber attackers for more than a decade. Not only has it conducted large scale cyber espionage and ransomware campaigns, it has also attacked the defense industry and is now focusing on cryptocurrency markets. The group has been tied to a number of high profile offensives, including:
- The $81 million heist from the Bangladesh Central Bank in 2016.
- The infamous attack on Sony Pictures in 2014 that cost the studio millions.
- The destructive WannaCry ransomware assault in 2017.
- Dozens of large cyber robberies on automated teller machines in 2018 from which it lifted millions of dollars in a two-year wave of cyber burglaries.
Even though the DPRK is a “cemented” threat to the cryptocurrency industry, tools such as blockchain analysis tools, compliance teams, criminal investigators, and hack victims “can follow the movement of stolen funds, jump on opportunities to freeze or seize assets, and hold bad actors accountable for their crimes,” Chainalysis said.
How MSSPs Can Mitigate Lazarus Attacks
Along those lines, security provider Kaspersky has recommended organizations take these five measures to mitigate Lazarus attacks:
- Provide your SOC team with access to the latest threat intelligence.
- Upskill your cybersecurity team to tackle the latest targeted threats.
- Implement EDR solutions for endpoint level detection, investigation, and timely remediation of incidents.
- Implement a corporate-grade security solution that detects advanced threats on the network level at an early stage.
- Introduce security awareness training and teach practical skills to your team. Many targeted attacks start with phishing or other social engineering techniques that can take advantage of untrained employees.