Learn about the FBI’s warning on North Korean cyber-attacks targeting cryptocurrency firms
Crypto firms and decentralized finance (DeFi) businesses around the world are on high alert following a recent warning from the Federal Bureau of Investigation (FBI) about sophisticated cyber-attacks originating from North Korea. The Democratic People’s Republic of Korea (DPRK), known for its aggressive cyber-operations, is reportedly conducting highly tailored social engineering campaigns aimed at deploying malware and stealing digital assets from companies involved in the cryptocurrency sector.
North Korea’s state-sponsored cyber actors are leveraging advanced tactics to compromise the networks and systems of these firms, including conducting extensive pre-operational research, crafting individualized attack scenarios, and using elaborate impersonation techniques. These campaigns are proving to be difficult to detect, even for those well-versed in cybersecurity practices, highlighting the evolving and persistent threat landscape facing the cryptocurrency industry.
North Korean Social Engineering Tactics: A Deeper Look
The FBI’s announcement sheds light on the specific tactics employed by North Korean cyber actors in their efforts to infiltrate cryptocurrency firms and DeFi platforms. These tactics are notable for their complexity and sophistication, often involving long-term planning and targeted approaches that exploit human psychology and trust.
Extensive Pre-Operational Research
North Korean cyber actors conduct thorough pre-operational research to identify specific cryptocurrency-related businesses and individuals to target. Before making contact, these actors meticulously review social media profiles, professional networking sites, and other online platforms to gather detailed information about potential victims. This reconnaissance allows them to craft highly convincing scenarios tailored to the backgrounds, skills, and interests of their targets.
Individualized Fake Scenarios
Once a target is identified, the attackers use the collected information to create customized scenarios that are uniquely appealing to the victim. These scenarios may involve offers of new employment, corporate investments, or partnership opportunities, often referencing personal details that only a few people are likely to know. The goal is to build rapport and trust with the target, making them more susceptible to the actor’s malicious intent.
By initiating prolonged conversations, often over weeks or months, the attackers aim to appear legitimate and gain the victim’s confidence. Their fluency in English and their familiarity with the technical aspects of cryptocurrency further enhance the credibility of these interactions.
Impersonation Tactics
Impersonation is another common tactic used by North Korean cyber actors. They may pose as individuals that the victim knows personally or professionally, such as colleagues, recruiters, or executives from well-known technology firms. To increase the believability of their impersonation, they often use realistic imagery, including photographs stolen from social media profiles of real people.
These actors may also create fake recruiting firms or technology companies with professional-looking websites to bolster their credibility. In some cases, they go as far as creating fake events or using time-sensitive scenarios to prompt immediate action from their intended victims.
Potential Indicators of North Korean Social Engineering Activity
The FBI has identified several indicators that may suggest a company or individual is being targeted by North Korean cyber actors. Recognizing these signs can help organizations mitigate the risk of falling victim to these sophisticated social engineering attacks.
Some of the key indicators include:
- Unsolicited requests to execute code or download applications on company-owned devices or devices with access to the company’s internal network.
- Invitations to conduct “pre-employment tests” or debugging exercises involving non-standard or unknown software packages.
- Unexpected offers of employment from prominent cryptocurrency or technology firms, especially those offering unrealistically high compensation without negotiation.
- Unsolicited investment offers from companies or individuals that were not previously discussed or proposed.
- Requests to use non-standard or custom software for simple tasks that could easily be completed using common applications.
- Requests to move conversations to less secure messaging platforms or to run scripts to enable certain functionalities blocked due to the victim’s location.
- Unsolicited contacts containing unexpected links or attachments.
Mitigation Measures: Reducing the Risk of Attack
In response to the escalating threat, the FBI has outlined several best practices that crypto firms and DeFi platforms can adopt to mitigate the risk of falling prey to North Korean social engineering schemes.
Verify Identities Using Separate Platforms
Organizations should develop unique methods to verify a contact’s identity using separate, unconnected communication platforms. For example, if an initial contact is made via a professional networking site, the organization should verify the contact’s request through a live video call on a different messaging application.
Secure Storage of Sensitive Information
It is critical to avoid storing sensitive information about cryptocurrency wallets—such as logins, passwords, wallet IDs, seed phrases, and private keys—on internet-connected devices. Storing such information offline or using hardware wallets can significantly reduce the risk of unauthorized access.
Avoid Executing Code on Company Devices
Organizations should establish a policy that discourages employees from taking pre-employment tests or executing code on company-owned laptops or devices. If a pre-employment test requires code execution, it should be conducted in a virtual machine on a non-company-connected device or a device provided by the tester.
Implement Multi-Factor Authentication and Approvals
To protect financial assets, organizations should require multiple factors of authentication and approvals from different, unconnected networks before any movement of funds. Regular security checks should be performed on devices and networks involved in the authentication process.
Restrict Access to Sensitive Information
Limiting access to sensitive network documentation, business or product development pipelines, and company code repositories can prevent unauthorized access by malicious actors. Access should be granted on a need-to-know basis, and permissions should be reviewed and updated regularly.
Funnel Communications Through Secured Channels
Business communications should be funneled through closed, authenticated platforms. Before adding anyone to an internal platform, authentication should be performed in person whenever possible. Regular re-authentication should also be required for employees not seen in person for extended periods.
Control Software and File Downloads
For companies handling large quantities of cryptocurrency, the FBI recommends blocking devices connected to the company’s network from downloading or executing files except for specific, whitelisted programs. Email attachments should also be disabled by default to reduce the risk of malware infection.
Responding to a Potential Attack: Immediate Actions
If a company suspects it has been impacted by a social engineering campaign similar to those employed by North Korean cyber actors, the FBI advises several immediate steps to contain the threat and begin remediation.
Disconnect from the Internet
The first step is to disconnect the impacted device or devices from the internet immediately. It is crucial to leave the devices powered on to preserve any recoverable malware artifacts that could be useful for forensic analysis.
File a Complaint with the FBI
Companies should promptly file a detailed complaint through the FBI Internet Crime Complaint Center (IC3) at www.ic3.gov. The complaint should include as many details as possible regarding the incident, such as screenshots of communications with the malicious actors, usernames, online accounts, and any other relevant identifiers.
Collaborate with Law Enforcement
It is essential to collaborate with law enforcement to explore options for incident response and forensic examination of impacted devices. In some cases, law enforcement may recommend partnering with private incident response companies to assist in containment and remediation efforts.
Raise Awareness Within the Organization
Sharing experiences with colleagues and raising awareness about the potential threat can help broaden understanding of the significant risks posed by North Korean cyber actors. This awareness can help other organizations better protect themselves from similar attacks.
The Broader Implications: North Korea’s Persistent Cyber Threat
The recent warning from the FBI underscores North Korea’s persistent and evolving cyber threat to the global cryptocurrency ecosystem. North Korea has long been accused of using cybercrime as a means to circumvent international sanctions and generate revenue. According to several reports, North Korea’s state-sponsored cyber activities have stolen billions of dollars’ worth of cryptocurrency and other digital assets over the past few years.
The sophistication of North Korea’s cyber operations, particularly their tailored social engineering campaigns, suggests that they have developed a deep understanding of the cryptocurrency sector and its potential vulnerabilities. The cryptocurrency market’s decentralized and largely unregulated nature provides an attractive target for state-sponsored cybercriminals seeking to exploit security gaps.
The growing threat of North Korean cyber-attacks against cryptocurrency firms highlights the need for vigilance and preparedness in the face of evolving cyber risks. Organizations operating in the cryptocurrency and DeFi sectors must adopt robust security measures, stay informed about the latest threats, and foster a culture of cybersecurity awareness among employees.
By implementing the mitigation measures outlined by the FBI and remaining proactive in their cybersecurity strategies, cryptocurrency firms can better protect themselves against the persistent and sophisticated tactics employed by North Korean cyber actors. As the cryptocurrency market continues to grow and evolve, staying ahead of the curve in terms of security will be essential to safeguarding digital assets and maintaining trust in this rapidly developing financial landscape.