North Korean Hackers Shift Tactics to Target Crypto Firms

North Korean hackers have shifted their methods in an escalation of their cyber warfare tactics. They now employ phishing emails as a primary tool to target cryptocurrency firms.

A recent report by cybersecurity research firm SentinelLabs linked this shift to BlueNoroff, a notorious subgroup within the Lazarus Group.

North Korean Hackers Pivot to Phishing in ‘Hidden Risk’ Campaign

BlueNoroff is popular for extensive cybercrimes aimed at funding North Korea’s nuclear and weapons initiatives. The new campaign, dubbed ‘Hidden Risk,’ reveals a strategic pivot from social media grooming to more direct, email-based infiltration.

Hackers have intensified their efforts in the ‘Hidden Risk’ campaign by using highly targeted phishing emails. Disguised as crypto news alerts on Bitcoin prices or updates on decentralized finance (DeFi) trends, these emails lure recipients into clicking on seemingly legitimate links. Once clicked, these links deliver malware-laden applications to users’ devices, giving attackers direct access to sensitive corporate data.

“The campaign, which we dubbed ‘Hidden Risk’, uses emails propagating fake news about cryptocurrency trends to infect targets via a malicious application disguised as a PDF file,” the report read.

The malware in the ‘Hidden Risk’ campaign is notably sophisticated, effectively bypassing Apple’s built-in security protocols. Using legitimate Apple Developer IDs, it evades macOS’s Gatekeeper system, which has sparked significant concern among cybersecurity experts.

North Korean hackers have traditionally relied on elaborate social media grooming to establish trust with employees at crypto and financial firms. Engaging with targets on platforms like LinkedIn and Twitter, they created the illusion of legitimate professional relationships. While effective, this patient method was time-consuming, prompting a shift towards quicker, malware-based tactics.

North Korea’s hacking activities have intensified as the cryptocurrency sector continues to grow. Currently valued at over $2.6 trillion, the crypto space is an attractive target for North Korean state-sponsored hackers. SentinelLabs’ report highlights how this environment is particularly susceptible to cyber-attacks, making it a lucrative hunting ground for Lazarus.

A Growing Threat to the Crypto Industry

According to a recent FBI warning, North Korean hackers have been focusing on DeFi and exchange-traded fund (ETF) firms. They leverage social engineering and phishing campaigns aimed directly at employees within these sectors. The warnings have urged firms to bolster their security protocols and have particularly advised on the need to crosscheck client wallet addresses against known hacker-linked addresses.

BeInCrypto also reported how the Lazarus Group has learned to circumvent Western sanctions. They manipulated loopholes in international regulations to facilitate crypto-based money laundering. A significant milestone in this timeline was the utilization of the RailGun privacy protocol, which provides anonymous transactions on the Ethereum blockchain.

The US government has not been passive in response to North Korea’s escalated cyber campaigns. The Treasury Department sanctioned crypto mixing service Tornado Cash, citing its role in aiding North Korean hackers in obscuring illicit transactions. Tornado Cash, similar to RailGun, allows users to anonymize cryptocurrency movements, providing hackers with a powerful tool to cover their tracks.

The sanctions were part of a broader crackdown, highlighting how North Korea’s crypto-related activities are becoming a significant point of focus for Western governments. The timing of these sanctions aligns with North Korea’s intensified activities in the crypto sector, especially through Lazarus.

Given the sophistication of the new ‘Hidden Risk’ campaign, SentinelLabs advises macOS users and organizations, particularly those involved in cryptocurrency, to heighten security measures. They recommend that companies conduct thorough malware scans, cross-check developer signatures, and avoid downloading attachments from unsolicited emails.

These proactive steps are essential to safeguard against increasingly complex malware designed to stay hidden within systems.