“North Korean malicious cyber actors conducted research on a variety of targets connected to cryptocurrency exchange-traded funds (ETFs) over the last several months,” the FBI has warned through a public service announcement.
This suggests that they are likely to target companies associated with cryptocurrency ETFs or other cryptocurrency-related financial products, the Bureau added.
North Korean hackers are after money
State-sponsored North Korean hackers have specialized in brazen crypto-heists, aimed at bringing income into the hermit kingdom, which is weighed down by international economic sanctions.
For many years now, the FBI has been warning about North Korean hackers posing as IT freelancers to become malicious insiders, targeting blockchain engineers and even security researchers.
But despite the many warnings, the looting continues unabated.
North Korean hackers employ social engineering and supply chain attacks
“North Korean social engineering schemes are complex and elaborate, often compromising victims with sophisticated technical acumen,” the FBI says.
“Given the scale and persistence of this malicious activity, even those well versed in cybersecurity practices can be vulnerable to North Korea’s determination to compromise networks connected to cryptocurrency assets.”
The hackers’ persistence is not surprising, given the massive pay-offs. They take their time to scout employees at target companies by reviewing their social media activity and create tailored scenarios for getting in touch with them and establishing a rapport before delivering malware.
They usually impersonate recruiters or people associated with certain technologies, and even recruiting firms or technology companies.
Fake job opportunity delivering malware (Source: Mandiant)
“The actors usually communicate with victims in fluent or nearly fluent English and are well versed in the technical aspects of the cryptocurrency field,” the FBI notes.
“If successful in establishing bidirectional contact, the initial actor, or another member of the actor’s team, may spend considerable time engaging with the victim to increase the sense of legitimacy and engender familiarity and trust.”
The Bureau has listed a number of indicators that could point to North Korean social engineering activity and has shared mitigation advice. But, unfortunately, even many sensible precautions are sometimes not enough to identify hackers posing as legitimate job seekers.
Also, North Korean hackers don’t rely solely on social engineering when targeting Web3 organizations.
“They have also been observed conducting supply chain attacks to establish an initial foothold such as the attacks on JumpCloud and 3CX in 2023 which targeted their downstream customers that provide cryptocurrency services,” Mandiant researchers pointed out.
“Once a foothold is established via malware, the attackers pivot to password managers to steal credentials, perform internal reconnaissance via code repos and documentation, and pivot into the cloud hosting environment to reveal hot wallet keys and eventually drain funds.”