The Lazarus Group: Financially-Motivated and Targeting Cryptocurrency

Researchers at Proofpoint published a white paper detailing North Korea’s financially-motivated cyber activity, including their recent targeting of Bitcoin. North Korea is commonly named as one of the United States’ top cyber adversaries; however, they often operate much differently than cyber adversaries like Russia, China, and Iran. Largely due to sanctions against the state, North Korea has resorted to engaging in cyber-attacks traditionally carried out by cybercriminals in order to steal funds. The advanced persistent threat (APT) group associated with the North Korean government, the Lazarus Group, is attributed to various financially-motivated cyber-attacks that have occurred over the last few years, including: the February 2016 attack against the SWIFT banking system that resulted in the theft of $81 million from the central bank of Bangladesh, subsequent attacks on dozens of other financial institutions around the world, and the May 2017 WannaCry ransomware attack that impacted hundreds of thousands of computers around the world. Recently, the group has capitalized on the increasing interest and surging prices of cryptocurrencies. The Lazarus Group is accused of the following: stealing millions of dollars’ worth of Bitcoin from the South Korean Bitcoin exchange Youbit, successfully breaching several cryptocurrency companies and exchanges, and targeting individuals and organizations with spear-phishing emails containing links and attachments to deliver the PowerRatankba malware that steals credentials for cryptocurrency wallets. Additionally, researchers believe the group targeted SoftCamp point-of-sale terminals, largely used in South Korea, with the RatankbaPOS malware in order to steal bank card data. The NJCCIC recommends reviewing the Proofpoint report “North Korea Bitten By Bitcoin Bug” for more information on recent Lazarus Group activity, including various attack vectors and tools used by the group. We recommend cryptocurrency owners remain vigilant and maintain awareness of threats targeting cryptocurrency wallets and exchanges, avoid using links provided in emails or through social media platforms to visit cryptocurrency wallet and exchange sites and instead type the legitimate address directly into the URL field of their web browsers, and exercise caution before downloading any cryptocurrency-related application or allowing full read/write API access to accounts from external sources. Lastly, we strongly recommend enabling multi-factor authentication on all accounts that offer it to prevent unauthorized access as a result of credential compromise.