F-Secure reports: North Korean hackers launch global attack campaign on the cryptocurrency industry. Although the professional attackers covered their tracks, F-Secure was able to reconstruct a global attack by the so-called Lazarus Group.
The cybersecurity specialists at F-Secure have published a report in which they link details of a targeted attack on a company in the cryptocurrency industry with the Lazarus Group. The group of hackers, which is believed to have close ties to the Democratic People's Republic of Korea (DPRK), is known for its highly professional approach, which pursues purely financial interests. In the report, F-Secure comes to the conclusion that the incident investigated is part of a global campaign by the Lazarus Group by combining information and patterns obtained from the attack with existing research results. This is aimed against companies from the cryptocurrency industry from the United States, Great Britain, the Netherlands, Germany, Singapore, Japan and other countries.
Report reveals Lazarus group
The report analyzes the logs, protocols and other technical artifacts that F-Secure was able to secure during the forensic investigation of an attack on a crypto organization. F-Secures security experts found that the attack methods are almost identical to the practices previously used by the Lazarus group - also known as APT38.
The report also includes details of the Tactics, Techniques, and Procedures (TTP) used during the attack. For example, the attackers were able to use "spear phishing" to instrumentalize trustworthy external services. In this specific case, a fake job offer specially tailored to the recipient's profile was sent via the LinkedIn platform.
Similar attacks in at least 14 countries
On the basis of phishing artifacts that were seized after the attack by the Lazarus Group, the researchers from F-Secure were able to link the incident to an extensive campaign that had been running since January 2018. According to the report, similar artifacts were found in attacks in at least 14 countries: the United States, China, United Kingdom, Canada, Germany, Russia, South Korea, Argentina, Singapore, Hong Kong, the Netherlands, Estonia, Japan, and the Philippines.
In order to bypass the defense of the affected company during the attack, the Lazarus group went to great lengths. For example, she was able to disable anti-virus software on the compromised hosts and remove evidence of their activities that had left behind. And although the report characterizes the attack as highly professional, it does indicate that the Lazarus Group's efforts to cover its traces afterwards were inadequate. Numerous hidden and unremoved clues ultimately provided F-Secure with clear evidence of the attackers' activities.
Incident Response, Managed Detection & Response and Tactical Defense Team
“The attack was investigated by experienced specialists from our Incident Response, Managed Detection & Response and Tactical Defense teams. It turned out that this attack had a number of similarities with known activities of the Lazarus group. We believe they were responsible for this attack, ”said Matt Lawrence, director of detection and response at F-Secure. Companies can now refer to the report to familiarize themselves with the specific cyberattack, the TTPs and the Lazarus group in general. In addition, direct security recommendations are given to protect against attacks by the hacker group.
More on this at F-Secure.com
Via F-Secure Nobody has a better insight into real cyberattacks than F-Secure. We bridge the gap between detection and response. To do this, we leverage the unmatched threat expertise of hundreds of the best technical advisors in our industry, data from millions of devices using our award-winning software, and ongoing innovations in artificial intelligence. Leading banks, airlines and corporations trust our commitment to fight the world's most dangerous cyber threats. Together with our network of top channel partners and over 200 service providers, it is our mission to provide all of our customers with tailored, enterprise-grade cybersecurity. F-Secure was founded in 1988 and is listed on NASDAQ OMX Helsinki Ltd.