CYFIRMA classifies notorious ‘Lazarus Group’ North Korea backed hacker group behind Indian Crypto Exchange WazirX Breach

0
138
CYFIRMA classifies notorious ‘Lazarus Group’ North Korea backed hacker group behind Indian Crypto Exchange WazirX Breach
CYFIRMA classifies notorious ‘Lazarus Group’ North Korea backed hacker group behind Indian Crypto Exchange WazirX Breach
  • WazirX lost $235 million in crypto, consisting of over 200 different assets, including  ~ $96.7 million of Shiba Inu, ~ $52.6 million of Ether, ~ $11 million of Matic, and ~ $7.6 million of Pepe
  • Lazarus Group, which is linked to North Korea‘s Reconnaissance General Bureau (RGB), a primary intelligence service, has been ascertained as the mastermind of the attack.
  • Two subgroups of the Lazarus group, APT38 and BlueNorooff, attack cryptocurrency exchanges and financial institutions worldwide.
  • In 2017 and 2018, Bithumb, one of South Korea’s largest cryptocurrency exchanges, suffered multiple hacks attributed to Lazarus Group, resulting in millions of dollars in stolen cryptocurrency.
  • In 2017, Youbit, a South Korean cryptocurrency exchange, declared bankruptcy after a hack attributed to Lazarus Group resulted in the loss of 17% of its assets.

CXO DIGITAL PULSE.COM, Mumbai, July 29, 2024: CYFIRMA, an external threat landscape management platform, has identified Lazarus Group, a North Korea-backed hacker group, behind the WazirX breach. The state-sponsored attack is linked to North Korea’s Reconnaissance General Bureau (RGB), a primary intelligence service.

According to CYFIRMA’s researchers’ analysis, due to the breach, close to $235 million were lost in crypto assets. This consists of over 200 different assets, including ~ $96.7 million of Shiba Inu, ~ $52.6 million of Ether, ~ $11 million of Matic, and ~ $7.6 million of Pepe. The threat actor has already swapped a number of these tokens for Ether using a variety of decentralized services, an expected initial step of a typical laundering process.

The attacks were carried out by two subgroups of the Lazarus group, namely APT38 and Blue Noroff. Lazarus mainly targets crypto exchanges and financial institutions worldwide.

APT38 primarily focuses on financial crimes, including attacks on banks and cryptocurrency exchanges. They are known for orchestrating large-scale heists and have been linked to several high-profile attacks on Asian financial institutions and crypto exchanges. APT38 uses sophisticated techniques such as custom malware, spear-phishing campaigns, and exploiting software vulnerabilities to infiltrate and steal funds.

BlueNoroff is focused on targeting financial institutions and cryptocurrency exchanges. This group has been implicated in various attacks on crypto exchanges in Asia, employing tactics such as phishing, malware deployment, and social engineering to compromise their targets. BlueNoroff has been known to set up fake companies and personas to establish trust and infiltrate the systems of crypto exchanges. 

Kumar Ritesh, CEO & Founder, Cyfirma, says, “Heists have been ongoing for several years, with notable attacks occurring since at least 2017. Significant thefts have occurred in various countries, including South Korea, Japan, the United States, and others. The frequency of these attacks can vary, but they often occur in waves. The primary motivation is to generate revenue for the North Korean regime. The stolen cryptocurrency is used to fund the country’s weapons programs and to evade international sanctions.”

Notable Incidents Involving Asian Crypto Exchanges:

Bithumb (South Korea): In 2017 and 2018, Bithumb, one of South Korea’s largest cryptocurrency exchanges, suffered multiple hacks attributed to Lazarus Group, resulting in millions of dollars in stolen cryptocurrency.

Coincheck (Japan): In January 2018, Coincheck, a Japanese cryptocurrency exchange, was hacked, resulting in the theft of over $530 million worth of NEM tokens. While not definitively attributed to Lazarus, the methods used were consistent with their tactics.

Youbit (South Korea): In December 2017, Youbit, a South Korean cryptocurrency exchange, declared bankruptcy after a hack attributed to Lazarus Group resulted in the loss of 17% of its assets.

Different methods used by the attackers for successful breaches:

Phishing Attacks: Lazarus often starts with spear-phishing campaigns, sending targeted emails to employees of crypto exchanges. These emails contain malicious attachments or links that, once opened, install malware on the victim’s computer. Based on the latest learnings, either Liminal Custody UI was compromised, or WazirX laptops were compromised to phish signatures. This was not an insider attack, and no private keys were compromised.

Social Engineering: They use social engineering tactics to gain the trust of employees and trick them into revealing sensitive information or performing actions that compromise the exchange’s security.

Exploiting Software Vulnerabilities: They exploit known and zero-day vulnerabilities in software used by crypto exchanges. This can include vulnerabilities in web applications, servers, or employee workstations.

Malware Deployment: Lazarus deploys various types of malware, such as remote access Trojans (RATs) and keyloggers, to gain persistent access to the exchange’s network and monitor activities.

Moving Laterally: Once inside the network, they move laterally to gain higher levels of access and control, often aiming to reach the servers that manage cryptocurrency wallets.

Transferring Funds: They then transfer the stolen cryptocurrency to wallets they control. These funds are often laundered through various means, including mixing services and multiple transactions across different cryptocurrencies and exchanges to obscure the origin of the funds.

Also readAchieving Rapid Outcomes with AI-Driven Cloud Analytics

Do FollowCIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter 

About us:

CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.

CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.