TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Treasury Department (Treasury) are issuing this joint Cybersecurity Advisory (CSA) to highlight the cyber threat associated with cryptocurrency thefts and tactics used by a North Korean state-sponsored advanced persistent threat (APT) group since at least 2020. This group is commonly tracked by the cybersecurity industry as Lazarus Group, APT38, BlueNoroff, and Stardust Chollima.
The U.S. government has observed North Korean cyber actors targeting a variety of organizations in the blockchain technology and cryptocurrency industry, including cryptocurrency exchanges, decentralized finance (DeFi) protocols, play-to-earn cryptocurrency video games, cryptocurrency trading companies, venture capital funds investing in cryptocurrency, and individual holders of large amounts of cryptocurrency or valuable non-fungible tokens (NFTs). They provide recommendations for mitigating attacks (OODA provides additional, more actionable context below).
This particular series of attacks includes a wide array of techniques. As an example of one that is used, see the image below from a website behind one of the many tactics. This modern looking website encouraged download of a program which claimed to offer cryptocurrency features like price prediction. The program was laced with malware to compromise credentials including wallet secrets.
For the full CISA report see : TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies.
Mitigation measures CISA recommends are directionally aligned with OODA recommendations, but like all government recommendation lists they tend towards recommending everything possible that could potentially help, which can end up causing more harm than good by disincentivizing prioritization and making focus very hard. Government recommendations are also almost always heavy on a concept called defense in depth, which we also appreciate and sometimes leverage, but generally the defense in depth concept assumes an unlimited security budget. Unlimited security budgets are not part of the reality of most non government organizations.
Here is OODA’s recommended list for reducing risk in cryptocurrency communities:
- Work to raise defenses and reduce risk, but adapt a hacker mindset for continuous critical examination of what matters most. This was examined in our recent post titled Web3 Security: How to Reduce Your Cyber Risk, which leverages OODA’s deep DNA in red teaming and cryptocurrency experience to provide actionable recommendations.
- In the case of mitigations against the DRPK threat, pay particularly close attention to protection of user credentials and strongly endorse multi factor authentication. This is always a best practice but is worth mentioning again here because, as CISA notes, North Korean malicious cyber actors continuously target user credentials, email, social media, and private business accounts. Organizations should ensure users change passwords regularly to reduce the impact of password spraying and other brute force techniques. CISA has done a good job providing ways to mitigate MFA interception techniques for some MFA implementations and monitor for anomalous logins.
- North Korean actors rely heavily on social engineering, leveraging email and social media platforms to build trust and send malicious documents to unsuspecting users. User training should include how to identify social engineering techniques and awareness to only open links and attachments from trusted senders.
- In keeping with our Web3 Security guidance, exercise and evaluate. use external resources to conduct third party red teaming. OODA can help here.
- Additionally, although this particular report focused on threat actors from DPRK, cryptocurrency projects and companies working to field Web3 solutions should also make use of the extensive lessons from all major cryptocurrency incidents. For insights see the OODA Cryptocurrency Incident Database.
Explore OODA Research and Analysis
Use OODA Loop to improve your decision making in any competitive endeavor. Explore OODA Loop
The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence
We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, Space Technology. Explore Disruptive/Exponential Tech
Security and Resiliency
Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation state conflict, non-nation state conflict, global health, international crime, supply chain and terrorism. Explore Security and Resiliency
The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member only video library. Explore The OODA Community