A cybersecurity firm has warned cryptocurrency users to expect more attacks from North Korea, as its hackers develop “enhanced capabilities” to deliver malware through popular messaging app Telegram.
Moscow-based Kaspersky Labs has been analysing new attacks from the Lazarus Group, a cybercrime group with links to North Korea, to determine how its techniques have developed since the AppleJesus attack on several cryptocurrency exchanges in 2018.
In research published Tuesday, the cybersecurity firm said there have been “significant changes to the group’s attack methodology.”
One case study involved what appeared to be a software update for a fake cryptocurrency wallet that, once downloaded, began to transmit user data over to hackers. Another example involved creating a backdoor for Mac software that bypassed security mechanisms without the computer ever being aware it was under attack.
A seemingly new attack vector has been to deliver malware through the Telegram messaging app. Researchers found some victim’s computers had downloaded a manipulated software with embedded malware that would send sensitive data to hackers without them being aware.
Many of these channels were for fake cryptocurrency companies, presumably set up by the hackers themselves. One recently detected fake site was for a “smart cryptocurrency arbitrage trading platform”. Kaspersky researchers found that these websites were often incomplete and filled with broken links, aside from the ones which took visitors to the Telegram channel.
Kaspersky said they were able to identify “several victims” from Poland, Russia, China, and the U.K, most with links to cryptocurrency businesses.
But Lazarus itself remains a mystery. By running malware through computer memory rather than a hard disk drive, the group generally avoids detection. Although the group is widely believed to be affiliated with North Korea, the secretive regime has repeatedly denied responsibility for its attacks.
Cybersecurity firm Group-IB estimated that the group stole nearly $600 million-worth of cryptocurrency in 2017 and most of 2018. Because their attacks are so successful, Kaspersky researchers are convinced the group will continue stealing cryptocurrency. “This kind of attack on cryptocurrency businesses will continue and become more sophisticated,” the report reads.
The U.S. Department for Treasury placed the Lazarus group on the U.S. sanctions list in 2019, meaning that any financial institution found dealing with them faces sanctions. This week, ethereum developer Virgil Griffith was indicted by U.S. authorities for speaking at a conference in North Korea. If found guilty, he faces up to 20 years in prison.
Disclosure Read More
The leader in blockchain news, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups.