How A Single Apple Mac Hack Scored North Korean Spies $7 Million In Cryptocurrency
North Korean hackers are using legitimate-looking LinkedIn and Telegram profiles in order to target the cryptocurrency wallets of macOS users, cybersecurity experts at Chainalysis have warned.
A report shown to Forbes ahead of publication on Tuesday revealed previously unknown details on a cryptocurrency exchange attack carried out by the Lazarus Group, a unit that the U.S. government and many cybersecurity researchers have identified as being North Korea-sponsored. It’s the same group blamed for the massive Sony Pictures breach in 2014 and the WannaCry ransomware epidemic of 2017.
Singapore-based cryptocurrency exchange DragonEx lost $7 million in a March 2019 breach after being targeted persistently by the hackers, according to a Chainalysis researcher, who asked not to be named. The hackers started by creating a fake business—WFCWallet—along with an official-looking website and LinkedIn profiles.
WFCWallet did provide software—but it was an infected version of a legitimate Bitcoin trading platform. Once installed in a system, the tool would open up a backdoor on an infected Apple Mac through which they could siphon off private keys to people’s cryptocurrency accounts. The software also had a keylogging feature to potentially filch more data, like user passwords.
The attackers then contacted an unnamed senior executive at the DragonEx exchange over Telegram, asking if she would like to do business with them and if she’d like to download the malicious WFCWallet. Though the executive initially seemed unenthusiastic about the offer of partnership, the hackers persisted over weeks and, for unknown reasons, a DragonEx employee ended up downloading the compromised software onto their Mac. That Mac happened to contain the private keys for customer accounts in what the Chainalysis source said was a weakness on DragonEx’s end. (After the attack, DragonEx said it was going to improve security.)
From there, users’ various cryptocurrency accounts full of Bitcoin, Ripple and Litecoin were stolen, before being laundered through various accounts as the attackers sought to cover their tracks.
North Korea’s use of front companies in cryptocurrency campaigns was first spotted in 2018 and throughout 2019. But the DragonEx breach showed just how persistent and effective those fake businesses can be.
Chainalysis, which was recruited by DragonEx to help it investigate the attack, said it was one of the most elaborate phishing campaigns it had ever witnessed, saying it was “on another level of sophistication.”
“It reveals the time and resources Lazarus has at its disposal, as well as the deep knowledge of the cryptocurrency ecosystem necessary to successfully impersonate legitimate participants,” the company wrote.
DragonEx hadn’t responded to requests for comment at the time of publication.
Earlier this month, researchers from Kaspersky Lab said the Lazarus Group had started delivering their malware directly over Telegram, rather than trying to divert targets to software downloads online.
More hacks, less money
The Chainalysis report also noted that 2019 saw more major cryptocurrency exchange hacks than any year before, with the 11 attacks netting $283 million. But the overall amount stolen in 2019 dipped, following the huge $534 million breach at Coincheck in 2018.
North Korean hackers remain heavily focused on stealing money to support the state’s weapons manufacturing. As the U.S. Treasury noted last year in announcing sanctions on North Korean hackers, Lazarus was one group “perpetrating cyber attacks to support illicit weapon and missile programs.” According to the U.S., Lazarus was formed by the North Korean government as early as 2007 and was part of the state’s Reconnaissance General Bureau.
This article originally appeared on forbes.com To read the full article and see the images, click here.
Nastel Technologies uses machine learning to detect anomalies, behavior and sentiment, accelerate decisions, satisfy customers, innovate continuously. To answer business-centric questions and provide actionable guidance for decision-makers, Nastel’s AutoPilot® for Analytics fuses:
- Advanced predictive anomaly detection, Bayesian Classification and other machine learning algorithms
- Raw information handling and analytics speed
- End-to-end business transaction tracking that spans technologies, tiers, and organizations
- Intuitive, easy-to-use data visualizations and dashboards
Nastel Technologies is the global leader in Integration Infrastructure Management (i2M). It helps companies achieve flawless delivery of digital services powered by integration infrastructure by delivering Middleware Management, Monitoring, Tracking, and Analytics to detect anomalies, accelerate decisions, and enable customers to constantly innovate, to answer business-centric questions, and provide actionable guidance for decision-makers. It is particularly focused on IBM MQ, Apache Kafka, Solace, TIBCO EMS, ACE/IIB and also supports RabbitMQ, ActiveMQ, Blockchain, IOT, DataPower, MFT and many more.
The Nastel i2M Platform provides:
- Secure self-service configuration management with auditing for governance & compliance
- Message management for Application Development, Test, & Support
- Real-time performance monitoring, alerting, and remediation
- Business transaction tracking and IT message tracing
- AIOps and APM
- Automation for CI/CD DevOps
- Analytics for root cause analysis & Management Information (MI)
- Integration with ITSM/SIEM solutions including ServiceNow, Splunk, & AppDynamics