stub Government Sanctioned Cybercrime - What is the Lazarus Group? - Securities.io
Connect with us

Digital Assets

Government Sanctioned Cybercrime – What is the Lazarus Group?

mm

Published

1 year ago

 on

Hacker on Laptop

Cybercrime is a menace. Estimates suggest that the combined harm cybercrime could inflict on systems worldwide was as high as US$6 trillion in 2021. And if the number already appears frightening, it is expected to hit US$10.5 trillion by 2025. In 2015, it was US$3 trillion. A growth of more than 300% in a decade is something that we all need to worry about. Yes, you read that right!

What is Cybercrime?

Cybercrime is an umbrella term that encompasses a whole lot of schemes and efforts to disturb, damage, and cause harm to networks and systems. It can be any sort of malicious activity that targets a computer, a computer network, or a networked device. It can be a malware attack, where the attacker infects a system with a virus.

A phishing campaign uses spam emails, messages, or other forms of communication to trick the recipient into compromising data privacy. A distributed DoS attack often inflicted upon IoT devices, brings down a particular system or network.

Types of cybercrime may also include theft of financial data, card or payment data, cyber-extortion, cyber-espionage, copyright infringement, illegal gambling, ransomware attack, and more.

According to data presented by the globally revered cyber security company Kaspersky, a single attack, which could be a data breach, malware, ransomware, or DDoS attack, can cost a company, irrespective of its size, an average of US$200,000. In fact, the insurance company Hiscox's data shows that affected companies may go out of business within six months of the attack.

Undoubtedly, cybercrime is something that comes with grave and severe consequences. Attackers or hackers are spread globally and are equipped to attack any system or network from any remote location.

However, crime is something that we do not generally associate with government-backed agencies. They enforce laws. We hardly think of them as perpetrators. And you would be taken aback for sure if we, at this point, raise the case of government-sanctioned cybercrime. But it is not uncommon to use cybercrime for political purposes and look beyond monetary gains. Here, we will discuss a typical case of such repute, which alleges state complicity in perpetrating cybercrime.

The Curious Case of Jon Chang Hyok and Kim Il

The Federal Bureau of Investigation's site mentions two North Korean individuals in its Most Wanted list. Both Jon Chang Hyok and Kim Il are charged with conspiracy to commit wire and bank fraud and computer-related fraud. Both were allegedly state-sponsored hackers who were part of an alleged criminal conspiracy that resulted in some of the costliest computer intrusions in history. But these are no ordinary accused. These are no perpetrators working with the simple agenda of looting funds. Their purpose goes deeper and is murkier than one could expect.

Both are alleged members of a group of hackers of the North Korean Government's Reconnaissance General Bureau. The conspiracy they both have been part of comprises North Korean hacking groups that many cybersecurity researchers have labeled as the Advanced Persistent Threat 38 (APT38) or “Lazarus Group.”

The Lazarus Group and its Alleged Misdeeds

The most recent mention of the ‘notorious' Lazarus Group surfaced when, in January-end 2022, the FBI confirmed that it was the group that orchestrated the US$100 million Harmony Bridge Hack in June 2022.

On June 23rd, 2022, the Harmony protocol team identified a theft on the Horizon bridge amounting to approximately US$100 million. In its January 23rd statement, the FBI made a clear note to confirm that the Lazarus Group and APT38, ‘cyber actors associated with the DPRK,' were responsible for the theft of US$100 million worth of virtual currency. The attackers exploited security holes existing in Harmony's Horizon Ethereum bridge and swiped several assets stored in the bridge via 11 transactions.

Before the Harmony Horizon Bridge hack, the name of the infamous Lazarus group also came up in the reports of the US$600 million Ronin Bridge hack in March 2022. For those unfamiliar with the Ronin Bridge Hack, it was the largest exploit of virtual assets to happen in 2022. The hacked funds amounted to a whopping US$612 million. It included 173,600 ETH and 25.5 million USD coins.

Axie Infinity, a play-to-earn non-fungible token (NFT) game, used Ronin as an Ethereum sidechain. While explaining the nature of the attack, Axie Infinity's developers, Sky Mavis, pointed to the fact that hackers gained access to private keys to compromise validator nodes and approve transactions fraudulently to drain out the funds from the bridge.

The United States Treasury Department Office of Foreign Assets Control updated its Specially Designated Nationals and Blocked Persons (SDN) list in mid-April 2022 to suggest the possibility of Lazarus Group orchestrating the hack. The hackers were so sophisticated and clandestine in their act that it was discovered several days after the hack happened, despite being one of the biggest robberies of its kind in the crypto space.

The same was the nature of the Harmony Horizon Bridge Hack, where the Lazarus Group leveraged RAILGUN, a privacy protocol, to channel over US$60 million worth of Ethereum stolen during the hack. According to FBI investigations, a part of these funds was kept frozen in collaboration with some VASPs, while the leftover Bitcoin was subsequently shifted to other addresses.

The FBI has kept its cyber and virtual assets units deployed, along with the U.S. Attorney's office and the U.S. Justice Department's Crypto unit, to identify, intercept, and disrupt the efforts of this North Korean group. The bureau believes that the group's theft and laundering of virtual currencies are meant to support North Korea's ballistic missile and Weapons of Mass Destruction programs.

Joint Cybersecurity Advisory Issued

On April 18th, 2022, the Cybersecurity and Infrastructure Security Agency (CISA), together with the FBI and the U.S. Treasury, released an advisory on the ‘North Korean state-sponsored activity targeting blockchain technology and the cryptocurrency industry.'

The Threats

The advisory notes that the cyber threat associated with crypto thefts has been active since at least 2020. The document also, in no ambiguous terms, recognized this Advanced Persistent Group (APT) threat as being sponsored by the North Korean state. The agencies marked the group as the Lazarus Group, APT 38, BlueNoroff, and Stardust Chollima.

The U.S. Government's analysis of the threat marks these malicious cyber actors as entities who target a variety of organizations in the blockchain and crypto industry. They spare none. The list of targets includes crypto exchanges, DeFi protocols, P2E cryptocurrency video games, crypto trading companies, V.C. funds, and individual holders of large amounts of cryptocurrency or valuable NFTs.

The Lazarus Group, and cyber actors similar to them, are adept at socially engineering victims through a range of communication platforms to eventually lure them into downloading Trojanized crypto applications on Windows and macOS operating systems. Through these applications, these hackers and attackers gain access to the end user's computer and distribute malware across the entire network environment.

The advisory pointed out that the Lazarus Group was responsible for targeting a range of firms, entities, and exchanges in the blockchain and crypto industry. Their method was spear-phishing campaigns and the use of malware to steal.

AppleJeus Malware

The FBI, CISA, and DoT specifically recognized the use of AppleJeus malware in Lazarus Group's targeting of organizations for crypto theft in more than 30 countries over the past few years. The agency report noted that North Korea had used ‘AppleJeus malware posing as cryptocurrency trading platforms since at least 2018.'

The malicious application appears to be generated by a legitimate crypto trading company. And the individuals, entrapped by the malware, give in to believing it to be a third-party application from a legal website and download it.

The North Korean Government has presumably used several versions of the malware over the past five years since it was discovered in 2018.

The Method of Execution

The cybercriminals start their operations by sending out a high number of phishing campaigns to crypto business employees. They mostly target people who work in system administration or software development/I.T. operations (DevOps).

Messages that these hackers send are mostly recruitment alerts offering high-paying jobs. With these enticements, they instigate these employees to download malware-laden crypto applications, referred to by the government as TraderTraitor. The TraderTraitor campaigns feature websites with modern design advertising.

While listing Jon Chang Hyok on the FBI's most wanted list, the agency tagged similar offenses to his name, saying that he was alleged to have been directly involved in the “development and dissemination of malicious cryptocurrency applications targeting numerous cryptocurrency exchanges and other companies.”

For Kim Il, the alleged crime involved “cyber-enabled heists from financial institutions” and the Marine Chain ICO scam.

The Marine Chain ICO scam was started by three North Korea Intelligence operatives. It was a malicious ploy to fraudulently collect funds during the hay days of the 2018 ICO boom when nearly US$12 billion was raised by projects.

Marine Chain posed itself as the “next-generation global maritime investment marketplace enabled by blockchain technology.” It promised that vessel owners could tokenize part-ownership of their ships and sell these fractional ownership coins to individuals and institutions. They termed it Vessel Token Offerings, which promised to take place on the Ethereum blockchain.

Kim Il and Jon Chang Hyok, along with Park Jin Hyok – all from North Korea – were founders of the Marine ICO. They hid the fact that they were members of the North Korean military agency, the Reconnaissance General Bureau (RGB). They used false names and channeled every single penny raised in the ICO to North Korea, avoiding U.S. sanctions. The trio was accused of US$1.3 billion in attempted theft through many extortion plots and cyber attacks.

What is to Happen?

While U.S. investigation agencies keep discovering and tracking hacks and attempted extortions on a regular basis, both Kim Il and Jon Chang Hyok continue to be on the FBI's Most Wanted list. Arrest warrants have been issued. However, the CISA was sure in their disclosure that “these actors will likely continue exploiting vulnerabilities of cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to support the North Korean regime.”

Related Topics:
mm

Gaurav started trading cryptocurrencies in 2017 and has fallen in love with the crypto space ever since. His interest in everything crypto turned him into a writer specializing in cryptocurrencies and blockchain. Soon he found himself working with crypto companies and media outlets. He is also a big-time Batman fan.