Security researchers at ClearSky have analyzed multiple attacks on cryptocurrency exchanges in the past few years. With medium to high confidence, they attributed them to a threat actor they dubbed CryptoCore and says it is in reality the North Korean group Lazarus.
The group has been active in the past three years and stolen hundreds of millions of U.S. dollars from cryptocurrency exchanges in the U.S., Israel, Europe, and Japan.
Last year, cybersecurity company ClearSky published a report about the financially motivated CryptoCore campaign that targeted cryptocurrency wallets belonging to exchanges or their employees. At first, ClearSky saw evidence that the CryptoCore threat actor has connections to hackers in Eastern European countries like Ukraine, Russia, and Romania. The group employs spear-phishing to gain an initial foothold. Since the attacks started in 2018, CryptoCore carried out at least five attacks causing losses of at least $200 million.
Following ClearSky’s report, other cybersecurity companies conducted their own investigations and published results and technical details that confirmed those reported by CryptoCore:
- A report from F-SECURE, showed that attackers also used spear-phishing tactics to convince the victims to download a malicious file. The paper outlined similarities with the malware attributed to Lazarus.
- A report from Japan’s CERT JPCERT/CC described how employees of Japanese firms were contacted and tricked into downloading malicious files and provided technical information about the malware used in the attack.
- A report from the Japanese cybersecurity firm NTT SECURITY described a campaign dubbed CRYPTOMIMIC that resulted in large sums of money stolen from crypto wallets by the same tactic of contacting users and fooling them into downloading malicious files.
In a new report issued today, ClearSky compared the above researches and said there are sufficient similarities allowing to attribute the attacks to one same actor. After checking if the company’s YARA rules for identifying and classifying malware applied to remote access trojans (RATs) in reports about Lazarus from ESET and Kaspersky, ClearSky has confirmed F-Secure’s attribution of the attacks to the Lazarus group. The YARA rule matched an old RAT that Kaspersky reported in 2016 (bbd703f0d6b1cad4ff8f3d2ee3cc073c).
ClearSky found a total of 40 common indicators of compromise (IoCs) in the reports from F-Secure, NTT Security, and JPCERT/CC.
Hence, ClearSky attributed with medium to high confidence the CryptoCore campaigns to Lazarus.