CISA: North Korean State-Sponsored APT Targeting Blockchain Companies

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Treasury Department issued a joint Cybersecurity Advisory (CSA) to highlight the cyber threat associated with cryptocurrency thefts and tactics used by a North Korean state-sponsored advanced persistent threat (APT) group since at least 2020.

This group is commonly tracked by the cybersecurity industry as Lazarus Group, APT38, BlueNoroff, and Stardust Chollima. For more information on North Korean state-sponsored malicious cyber activity, visit https://www.us-cert.cisa.gov/northkorea.

The U.S. government has observed North Korean cyber actors targeting a variety of organizations in the blockchain technology and cryptocurrency industry, including cryptocurrency exchanges, decentralized finance protocols, play-to-earn cryptocurrency video games, cryptocurrency trading companies, venture capital funds investing in cryptocurrency, and individual holders of large amounts of cryptocurrency or valuable non-fungible tokens (NFTs).

The activity described in today’s advisory involves social engineering of victims using a variety of communication platforms to encourage individuals to download trojanized cryptocurrency applications on Windows or macOS operating systems. The cyber actors then use the applications to gain access to the victim’s computer, propagate malware across the victim’s network environment, and steal private keys or exploit other security gaps. These activities enable additional follow-on activities that initiate fraudulent blockchain transactions.

The U.S. government previously published an advisory about North Korean state-sponsored cyber actors using AppleJeus malware to steal cryptocurrency: AppleJeus: Analysis of North Korea’s Cryptocurrency Malware.

The U.S. government has also previously published advisories about North Korean state-sponsored cyber actors stealing money from banks using custom malware:

HIDDEN COBRA – FASTCash Campaign

FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks

This advisory provides information on tactics, techniques, and procedures and indicators of compromise to stakeholders in the blockchain technology and cryptocurrency industry to help them identify and mitigate cyber threats against cryptocurrency.

FBI and CISA encourage all organizations to be cognizant of this threat and apply the recommended mitigations in this advisory. In addition, we encourage all organizations to review our Shields Up webpage to find recommended guidance and actions for all organizations, corporate leaders and CEOs, steps to protect yourself and your family, and a technical webpage with guidance from CISA and Joint Cyber Defense Collaborative (JCDC) industry partners.

Your support to amplify this advisory through your communications and social media channels is appreciated. CISA and the FBI are posting information about our joint advisory on our social media platforms.

Thank you for your continued support and collaboration.

Steve Lyddon
Protective Security Advisor, Region 5, Illinois
Cybersecurity & Infrastructure Security Agency
U.S. Department of Homeland Security
217-299-3954 / steven.lyddon@cisa.dhs.gov