Paradigm: Unveiling the Threat Mystery of the North Korean Hacker Organization Lazarus Group

CN
链捕手
Follow
1 day ago

Original Title: "Demystifying the North Korean Threat"

Author: samczsun, Paradigm Research Partner

Translation: Bright, Foresight News

On a February morning, the SEAL 911 group lit up, and we watched in confusion as Bybit transferred over $1 billion in tokens from their cold wallet to a brand new address, then quickly began liquidating over $200 million in LST. Within minutes, we confirmed with the Bybit team and independent analysis (multi-signature, previously using publicly verified Safe Wallet, now using newly deployed unverified contracts) that this was not routine maintenance. Someone had launched the largest hack in cryptocurrency history, and we were sitting front row at the historical drama.

While some team members (and the broader reconnaissance community) began tracking the funds and notifying partner exchanges, other members of the team were trying to figure out what exactly had happened and whether other funds were at risk. Fortunately, identifying the perpetrator was easy. In recent years, only one known threat actor has successfully stolen billions from cryptocurrency exchanges: North Korea, also known as the DPRK.

However, beyond that, we had almost no clues available. Due to the cunning nature of North Korean hackers and their sophisticated self-concealment techniques, it is not only difficult to determine the root cause of the breach but also hard to know which specific team within North Korea is responsible. The only intelligence we could rely on indicated that North Korea indeed likes to use social engineering to infiltrate cryptocurrency exchanges. Therefore, we speculated that North Korea likely compromised Bybit's multi-signers and then deployed some malware to interfere with the signing process.

It turned out that this speculation was completely unfounded. Days later, we discovered that North Korea had actually compromised the infrastructure of the Safe Wallet itself and deployed a malicious overload specifically targeting Bybit. The level of complexity was something no one had considered or prepared for, posing a significant challenge to many security models on the market.

North Korean hackers pose an increasingly serious threat to our industry, and we cannot defeat an enemy we do not understand or comprehend. There are numerous documented incidents and articles regarding various aspects of North Korea's cyber operations, but it is challenging to piece them together. I hope this overview will provide a more comprehensive understanding of how North Korea operates, along with their strategies and procedures, making it easier for us to implement the right mitigation measures.

Organizational Structure

Perhaps the biggest misconception that needs to be addressed is how to classify and name the vast array of North Korean cyber activities. While it is acceptable to use the term "Lazarus Group" colloquially, it is helpful to use more precise terminology when discussing North Korea's systematic cyber threats in detail.

First, understanding North Korea's "organizational chart" can be helpful. At the top of North Korea is the ruling party (the only ruling party) — the Workers' Party of Korea (WPK), which leads all government agencies in North Korea. This includes the Korean People's Army (KPA) and the Central Committee. Within the People's Army is the General Staff Department (GSD), where the Reconnaissance General Bureau (RGB) is located. The Ministry of People's Armed Forces (MID) is subordinate to the Central Committee.

The RGB is responsible for almost all of North Korea's cyber warfare, including nearly all observed North Korean activities in the cryptocurrency industry. In addition to the notorious Lazarus Group, other threat actors emerging from the RGB include AppleJeus, APT38, DangerousPassword, and TraderTraitor. On the other hand, the MID is responsible for North Korea's nuclear missile program and is the primary source of North Korean IT workers, referred to by the intelligence community as Contagious Interview and Wagemole.

Lazarus Group

The Lazarus Group is a highly sophisticated hacking organization, with cybersecurity experts believing that some of the largest and most destructive hacks in history have been attributed to this group. In 2016, Novetta first identified the Lazarus Group while analyzing the Sony Pictures Entertainment hack.

In 2014, Sony was producing the action-comedy film "The Interview," which prominently featured the humiliation and subsequent assassination of Kim Jong-un. Understandably, this was not well-received by the North Korean regime, which retaliated by hacking Sony's network, stealing several terabytes of data, leaking hundreds of gigabytes of confidential or sensitive information, and deleting originals. As then-CEO Michael Lynton stated, "The people who did this not only stole everything in the house, they burned the house down." Ultimately, Sony's investigation and remediation costs from this attack amounted to at least $15 million, with losses likely exceeding that.

Subsequently, in 2016, a hacker very similar to the Lazarus Group infiltrated Bangladesh Bank with the intent to steal nearly $1 billion. Over the course of a year, the hackers worked to socially engineer Bangladesh Bank employees, ultimately gaining remote access and moving within the bank's internal network until they reached the computers responsible for interacting with the SWIFT network. From that point, they waited for the perfect opportunity to attack: Bangladesh Bank was closed for the weekend on Thursdays, while the New York Federal Reserve Bank was closed for the weekend on Fridays. On Thursday evening local time in Bangladesh, the threat actor used their access to the SWIFT network to send 36 separate transfer requests to the New York Federal Reserve Bank, which were sent early Thursday morning local time. Within the next 24 hours, the New York Federal Reserve Bank forwarded these transfers to Rizal Commercial Banking Corporation (RCBC) in the Philippines, which began to take action. When Bangladesh Bank reopened, they discovered the hack and attempted to notify RCBC to stop the ongoing transactions, only to find that RCBC was closed for the Lunar New Year holiday.

Finally, in 2017, a massive WannaCry 2.0 ransomware attack crippled industries worldwide, with part of the blame attributed to the Lazarus Group. It is estimated that WannaCry caused billions in damages, exploiting a Microsoft Windows 0day initially developed by the NSA, encrypting not only local devices but also spreading to other accessible devices, ultimately infecting hundreds of thousands of devices globally. Fortunately, due to security researcher Marcus Hutchins discovering and activating a kill switch within eight hours, the final losses were contained.

Throughout the evolution of the Lazarus Group, they have demonstrated extremely high technical capabilities and execution, with one of their goals being to generate revenue for the North Korean regime. Therefore, it was only a matter of time before they turned their attention to the cryptocurrency industry.

Derivatives

Over time, as the Lazarus Group became the preferred term used by the media to describe North Korean cyber activities, the cybersecurity industry created more precise names for the specific activities of the Lazarus Group and North Korea. APT38 is one example, which separated from the Lazarus Group around 2016 to focus on financial crimes, initially targeting banks (like Bangladesh Bank) and then cryptocurrency. Later, in 2018, a new threat called AppleJeus was discovered, spreading malware targeting cryptocurrency users. Furthermore, as early as 2018, when OFAC first announced sanctions against two front companies used by North Koreans, North Korean individuals posing as IT workers had already infiltrated the tech industry.

North Korean IT Workers

Although the earliest records mentioning North Korean IT workers date back to the 2018 OFAC sanctions, Unit 42's 2023 report provided more detailed information, identifying two distinct threat actors: Contagious Interview and Wagemole.

Reportedly, Contagious Interview impersonates recruiters from well-known companies, luring developers into fake interview processes. Potential candidates are then instructed to clone a repository for local debugging, ostensibly as a coding challenge, but in reality, the repository contains a backdoor that, when executed, hands control of the affected machine over to the attacker. This activity has been ongoing, with the most recent record on August 11, 2024.

On the other hand, Wagemole agents primarily aim not to hire potential victims but to be hired by companies, where they work just like ordinary engineers, albeit with potentially low efficiency. That said, there are records of IT workers using their access to conduct attacks, such as in the Munchables incident, where an employee linked to North Korean activities exploited their privileged access to smart contracts to steal all assets.

The complexity of Wagemole agents varies, ranging from generic resume templates and reluctance to participate in video calls to highly customized resumes, deepfake video interviews, and identification documents like driver's licenses and utility bills. In some cases, agents have infiltrated victim organizations for up to a year before using their access to breach other systems and/or completely cash out.

AppleJeus

AppleJeus primarily focuses on spreading malware and excels at conducting complex supply chain attacks. In 2023, the 3CX supply chain attack allowed attackers to potentially infect over 12 million users of 3CX VoIP software, but it was later discovered that 3CX itself was also affected by a supply chain attack from one of its upstream suppliers, Trading Technologies.

In the cryptocurrency industry, AppleJeus initially spread malware disguised as legitimate software (such as trading software or cryptocurrency wallets). However, over time, their strategy evolved. In October 2024, Radiant Capital was compromised by malware sent via Telegram from a threat actor impersonating a trusted contractor, which Mandiant attributed to AppleJeus.

Dangerous Password

Dangerous Password is responsible for low-complexity, socially engineered attacks on the cryptocurrency industry. As early as 2019, JPCERT/CC recorded that Dangerous Password would send phishing emails with enticing attachments for users to download. In recent years, Dangerous Password has been responsible for impersonating industry figures to send phishing emails with subjects like "Stablecoins and Cryptocurrency Assets Are Highly Risky."

Today, Dangerous Password is still sending phishing emails but has also expanded to other platforms. For example, Radiant Capital reported that they received a phishing message via Telegram from someone impersonating a security researcher, who distributed a file named "PenpieHackingAnalysis_Report.zip." Additionally, users have reported being contacted by individuals posing as journalists and investors, requesting to arrange calls using an inconspicuous video conferencing application. Like Zoom, these applications download a one-time installer, but during execution, they install malware on the device.

TraderTraitor

TraderTraitor is the most sophisticated North Korean hacker targeting the cryptocurrency industry and has launched attacks on Axie Infinity and Rain.com, among others. TraderTraitor primarily targets exchanges and other companies with large reserves and does not deploy zero-day vulnerabilities against its targets; instead, it uses highly sophisticated spear-phishing techniques to attack victims. In the Axie Infinity hack case, TraderTraitor contacted a senior engineer via LinkedIn and successfully persuaded them to undergo a series of interviews, then sent a "proposal," which delivered malware. Then, in the WazirX hack, a TraderTraitor agent compromised an unidentified component in the signing pipeline and drained the exchange's hot wallet through repeated deposits and withdrawals, leading WazirX engineers to rebalance from cold wallets to hot wallets. When WazirX engineers attempted to sign a transaction to transfer funds, they were tricked into signing a transaction that transferred control of the cold wallet to TraderTraitor. This was very similar to the February 2025 attack on Bybit, where TraderTraitor first compromised the Safe{Wallet} infrastructure through social engineering attacks and then deployed malicious JavaScript targeting the Safe Wallet frontend for Bybit's cold wallet. When Bybit went to rebalance their wallets, the malicious code was activated, causing Bybit engineers to sign a transaction that transferred control of the cold wallet to TraderTraitor.

Stay Safe

North Korea has demonstrated the ability to deploy zero-day vulnerabilities against opponents, but there are currently no records or known incidents of North Korea deploying zero-day vulnerabilities against the cryptocurrency industry. Therefore, typical security advice applies to almost all North Korean hacker threats.

For individuals, it is essential to use common sense and be wary of social engineering tactics. For example, if someone claims to have highly confidential information and is willing to share it with you, proceed with caution. Or, if someone is pressuring you for time and asking you to download and run certain software, consider whether they are trying to put you in a position where you cannot think logically.

For organizations, apply the principle of least privilege as much as possible. Minimize the number of people who have access to sensitive systems and ensure they use password managers and 2FA. Keep personal devices and work devices separate, and install Mobile Device Management (MDM) and Endpoint Detection and Response (EDR) software on work devices to ensure security before a hack and visibility after a hack.

Unfortunately, for large exchanges or other high-value targets, TraderTraitor can cause unexpected damage even without zero-day vulnerabilities. Therefore, additional precautions must be taken to ensure there are no single points of failure to prevent a single breach from resulting in total loss of funds.

However, even if everything fails, there is still hope. The FBI has a dedicated department tracking and preventing North Korean intrusions and has been notifying victims for years. Recently, I was pleased to help agents from that department connect with potential North Korean targets. Therefore, to be prepared for the worst, ensure you have publicly available contact information or that you are connected with enough people in the ecosystem (such as SEAL 911) so that messages can reach you as quickly as possible through social networks.

免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。

ad
HTX:注册并领取8400元新人礼
Ad
Share To

Related Articles

avatar
avatarCoin Gabbar
1 hour ago
Spur Protocol Daily Quiz Answer 04 April 2025: Earn Free Rewards
avatar
avatarCoin Gabbar
2 hours ago
TON Station Daily Combo 04 April 2025 – Win SOON Points!
avatar
avatarCoin Gabbar
2 hours ago
Treasury Daily Secret Code 04 April 2025: Boost Your Earning
avatar
avatarCoin Gabbar
3 hours ago
Bums Lottery Daily Combo And Video Codes 04 April 2025
avatar
avatar深潮TechFlow
5 hours ago
Consciousness's market value has exceeded 100 million, focusing on the integration of mindfulness and Web3 technology.
APP

X

Telegram

Facebook

Reddit

CopyLink