North Korean Hackers Attack Cryptocurrency Networks

Some cybercriminal groups such as the North Korean-affiliated APT38 and Lazarus groups have specialized in financial cyberattacks, as these are usually extremely lucrative. Cryptocurrency exchange platforms (such as bitcoin) are among the “natural” targets with high potential for attackers: they concentrate significant financial flows that pass through blockchain technologies through numerous exchanges while sometimes being very not very secure. These information storage and transmission technologies take the form of a distributed (non-centralised) database whose security is based on cryptography.

Platforms for converting cryptocurrencies into dollars or euros remain the weak link in the security chain of the crypto financial cycle. Attackers know this very well and systematically exploit security vulnerabilities that they can discover themselves by studying a platform or buying from other cybercriminal groups on dark web marketplaces. We have entered the era of industrialization of cyberattacks and optimization of gains for ever more professional and efficient cybercriminal groups, mafias and cartels. The very nature of cryptocurrencies through their decentralized and anonymized nature, blockchain technologies and the networks that transport them could only attract malicious actors.

Nearly 600 million euros stolen

The latest cyberattack attributed to the APT38 and Lazarus groups has been the subject of a FBI statement on April 14, 2022. American investigators have confirmed that the two groups acting on behalf of the People’s Republic of North Korea, are responsible for the theft (reported on March 29) of 620 million dollars (573 million euros) in Ethereum cryptocurrency.

The “cyberheist” results from the hacking of the blockchain-based online video game Axie Infinity. This very popular game was created in 2018 in Vietnam by Sky Mavis and immediately found success in the Philippines with several million users. It allows players to earn money in the form of NFTs, digital tokens convertible into cryptocurrencies. The creators of the game have set up a rudimentary blockchain, collateral to the official Ethereum blockchain, simplifying and accelerating internal transactions in the game, but to the detriment of the security of the whole. The attackers of APT38 and Lazarus then very logically detected and then exploited the weaknesses of the game’s infrastructure to then embezzle more than 600 million dollars in cryptocurrencies. The diverted loot certainly fuels the North Korean government accountsand serves in particular to finance its nuclear armament programme.

The APT38 and Lazarus groups rely on sophisticated tools to carry out their attacks. The two groups implicated by the FBI have a long experience of high-level hacking on targets with very high added value. They have demonstrated their offensive capabilities against systems with good levels of security. Attacks attributed to APT38 and Lazarus are often sophisticated. They rely on stealthy malware (malicious software) that is sometimes developed or “customized” depending on the financial targets envisaged. As their latest attack on Axie Infinity and the Ronin network (protocol that connects Ethereum to Axie Infinity) shows, the return on investment is significant. The gigantic gains obtained make it possible to buy high-level, and therefore very expensive, “zero-day” vulnerabilities (unpublished vulnerabilities). A zero-day vulnerability is a software flaw that has not been patched.

They also make it possible to recruit talents among the best North Korean computer science students or affiliates. High-potential hackers would be identified, recruited and trained in state hacking from an early age. This device must be seen as an integral component of the North Korean military-industrial apparatus as the study shows CNAS, an American analysis center that publishes reports on cyber groups.

A true war effort

Specialization towards financial targets contributes to the North Korean war effort. Malware operated by APT38 and Lazarus is often at the state of the art in cyberattacks and requires strong development capabilities.

As with any sophisticated cyberattack, the preliminary phase of screening potential targets, detecting information system vulnerabilities and planning the attack can take a long time.

This social engineering phase consists of a detailed study of the organization to be targeted and its information system. Attackers identify weak links in the infrastructure at the level of systems as well as human users. They then look for security vulnerabilities that can be exploited from the malware they have. When effective “off the shelf” software does not exist, development teams can be formed by cybercriminal groups to produce tailor-made malware adapted to the target. The high level of stealthiness of the operated malware characterizes the various APT groups. Sometimes the attacks are carried out in several stages with a phase devoted to identifying the defense systems of the target. A first attack is launched to assess the level of detection and remediation operated by the targeted system. In other cases, a malicious payload is introduced into the system without being activated. It remains dormant until the opportune moment of the attack, which may occur several weeks after this initial phase. Either way, offensive strategies and tactics are adaptive to the target and the complexity of their digital shields.

The morphology of the APT38 and Lazarus groups remains poorly understood. The nature of the targets and the typology of the attacks make it possible to characterize them in the global ecosystem of APT groups. Their numbers are not precisely known. We know that the most talented North Korean hackers are recruited continuously to reinforce the operational teams. Active since 2014, the APT38 group has targeted banks, financial institutions, casinos, cryptocurrency exchanges, Swift system endpoints and ATMs in at least 38 countries worldwide.

Multiple targets

The most significant cyber operations attributed to APT38 relate to the Bangladesh Bank heist in 2016, during which the group stole $81 million. He carried out attacks on Bancomext in 2018 and, in the same year, on Banco de Chile. Cybercriminal groups linked to North Korea are estimated to have stolen more than $400 million in cryptocurrencies by cyberattacks in 2021.

The Lazarus Group (also known as Guardians of Peace or Whois Team) is a North Korean state-run cybercriminal group. Between 2010 and 2021, it carried out numerous cyberattacks and is now considered an APT (Advanced Persistent Threat) group due to the intentional nature of the threat and the wide range of methods used when conducting an operation. The ideological imprint of APT38 and Lazarus is that of the north korean powerin a mode of operation very similar to that of a military unit that is part of a modern cyberarmy.

It is not possible to accurately assess the breakdown of loot harvested by North Korean APT groups. This data is by definition a military secret. One can only imagine that out of a gain of 620 million dollars obtained during the last attack, a small part of the loot is devoted to the operating costs and the budget of the APT38 group: salaries of members, recruitment of new members, continuous training before operational integration, cost of developing malware, buying IT vulnerabilities and ZeroDay on international marketplaces, for example Zerodium.

Even if the operating costs of the APT38 and LAZARUS groups are probably quite high, they remain negligible compared to the sums stolen which then feed the accounts of North Korean power. The North Korean nuclear program mobilizes a substantial budget in an otherwise extremely poor country. We understand that the financial windfall resulting from cyberattacks on cryptocurrency infrastructures is a great opportunity to finance what is expensive…

In general, the global volume and intensity of cyberattacks is increasing systemically everywhere with the growth of attack surfaces: connected objects, cloud computing, blockchain and cryptocurrency architectures, edge computing, e-commerce, e-banking, telecommuting … So North Korea is no exception in this global trend. Moreover, North Korean cyberoffensive infrastructures having proven their effectiveness, it is a safe bet that groups such as APT38 and LAZARUS will continue their illicit activities and adapt to new cybersecurity challenges: hacking of satellites, use of artificial intelligence in the design of future malware, ransomware, spyware, DDoS attacks integrating AI, attacks at the source against cryptocurrency mining farms… The more technology develops, the more systems are deployed and the more the opportunities for attacks and gains appear for attackers. North Korea promotes the emergence of talents among hackers, it will continue and intensify this rise in power. In addition, international geopolitical crises (war in Ukraine, Sino-American tensions) contribute to the increase in cyberattacks and the appearance of new destructive malware. Russia, Iran, China, Turkey, Syria, Saudi Arabia, but also many other countries have cyberoffensive or cybercriminal groups working directly or indirectly with local intelligence services that can use them on outsourced assignments or services. The cybermercenary groups model meets an operational need and allows countries like Russia to delegate certain attacks to Russian APT groups. The case of North Korea is particular since the country is subject to binding international sanctions in connection with its nuclear weapons program.

APT groups are most often affiliated with China, Russia, North Korea, Vietnam, Iran, Syria. There are cybercriminal groups on the American side, but they are not APTs: groups associated with the Mexican Cartels, Colombian for example.

Payment in cryptocurrencies is becoming widespread on many digital platforms. Social networks with paid content integrate them by associating them with NFT tokens. Auction houses allow payment in Bitcoins. More and more online games rely on blockchain infrastructures with gains in cryptocurrencies and NFTs. Cryptocurrency exchanges and exchange platforms have multiplied with increasingly large flows. New cryptocurrencies backed by raw materials or mining are appearing and transforming the associated markets. The deployment of private and public blockchains opens up new prospects for growth in a decentralized economy, but also offers new attack opportunities and gigantic “Crypto-Magots” for groups like APT38 and LAZARUS.

We would like to give thanks to the author of this post for this outstanding web content

North Korean Hackers Attack Cryptocurrency Networks

We have our social media profiles here , as well as other pages related to them here.