The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the U.S. Treasury Department issued a joint cybersecurity advisory (CSA) on April 18 warning of North Korean state-sponsored actors targeting attacks on crypto and blockchain technology providers.
The two cyber actors named in the CSA – HIDDEN COBRA and BeagleBoyz, – have utilized AppleJeus malware to target various cryptocurrency and blockchain organizations including:
- Cryptocurrency exchanges;
- Decentralized finance protocols;
- Play-to-earn cryptocurrency video games;
- Cryptocurrency trading companies;
- Venture capital funds investing in cryptocurrency; and
- Individual holders of large amounts of cryptocurrency or valuable non-fungible tokens.
According to the CSA, individuals and organizations working with cryptocurrency transactions online are targeted by the actors, and online crypto exchanges and others have fallen victim to thefts caused by the attacker group’s malware.
“These actors will likely continue exploiting vulnerabilities of cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to support the North Korean regime,” the CSA says.
CISA, FBI, and Treasury explained that the cyber actors use various communication platforms to encourage individuals to download “trojanized cryptocurrency applications” – usually via spearfishing tactics and often mimicking lucrative job recruitment efforts – with victims unwittingly downloading malware onto network devices.
Then these cyber actors use the applications to gain access to the victim’s computer, propagate malware across the victim’s network environment, and steal private keys or exploit other security gaps. These activities “enable additional follow-on activities that initiate fraudulent blockchain transactions,” the CSA says.
The Federal law enforcement agencies have advised organizations to use modern security principles, endpoint protection, HTML, and email scanning, among other mitigating measures.
Both attack groups are associated with the cyberattack group Lazarus Group – otherwise known as APT38, BlueNoroff, and Stardust Chollima – which has targeted crypto and blockchain organizations since at least 2020.