According to ClearSky researchers, the latest attack campaign against crypto-exchange companies dubbed CryptoCore has been ongoing for about three years, with the hackers focusing mainly on the theft of cryptocurrency wallets.
Other names associated with this Crypto attack campaign include: CryptoMimic, Dangerous Password and Leery Turtle; and the campaign is attributed to a specific cyber-threat actor – North Korea’s LAZARUS APT Group, also known as Hidden Cobra.
How the LAZARUS GROUP were traced to CryptoCore Attacks?
The campaign dubbed "CryptoCore" which targeted crypto exchanges in Japan, Israel, Europe, and the U.S., resulting to the theft of millions of dollars worth of cryptocurrency was traced with "medium-high" likelihood to the Lazarus Group, also known as APT38 or Hidden Cobra, by researchers from Israeli cybersecurity firm ClearSky.
Interestingly, the LAZARUS GROUP was not known to attack Israeli targets, this is perhaps the first. ClearSky researchers based their attribution on two stages of research, with the first stage connecting all research documents to the same campaign: a comparative study of all the research documents trying to prove they are all referring to the same campaign.
While the second stage adopted F-SECURE’s attribution to LAZARUS GROUP, reaffirmed by comparing the attack tools found in this campaign to other Lazarus campaigns with strong similarities.
The Lazarus group was believed to have stolen an estimated $200 million, according to a report published in June 2020, which linked CryptoCore to five targets located in Japan, the U.S., and Middle East. The latest research, however shows that the operations were more widespread than previously documented.
Since entering the scene in 2009, the Lazarus group have used their offensive cyber capabilities to carry out cyber-espionage and cryptocurrency heists against western businesses and critical infrastructure.