Recently, it was announced that North Korea had laundered another $23 million through Tornado Cash crypto-mixing service, which, according to Chainalysis “The Chainalysis 2024 Crypto Crime Report” is just a tiny fraction of the more than $3 billion worth of cryptocurrencies they have stolen from exchanges and wallets over the past few years. On the same day, it was revealed that North Korea had shipped around 7,000 containers filled with munitions and other military equipment to Russia since last year to help support its war in Ukraine. In exchange, North Korea is believed to receive aid in fuel and other items in defiance of U.N. Security Council sanctions from Russia.
Over the past few decades, North Korea has had increasingly expansive sanctions imposed on them as they have continued to develop their nuclear weapons and missile programs. To evade sanctions and to continue to fund their military ventures, North Korea has turned to a new emerging and lucrative industry — cybercrime.
North Korea’s hacking group, “The Lazarus Group,” also known as APT38, has been active since 2009. It initially targeted financial institutions and banks and made a name for itself when it compromised Sony. The Lazarus Group has quickly evolved its capabilities to ransomware and recently shifted its targets to cryptocurrency exchanges, casinos, and even cybersecurity companies. In one heist, the Lazarus Group was able to steal $615 million from blockchain project Ronin. According to cryptocurrency forensic company Chainalysis, North Korea has made around $2.7 billion in crypto heists from various sources over the last two years alone. A US official states that roughly 50% of Pyongyang’s foreign currency earnings comes from cyber theft.
In addition to increasing the sophistication of its hacking efforts, the Lazarus Group has also proven to be quite successful at white-collar crime by developing a complex network of money laundering capabilities to convert stolen cryptocurrency into foreign currency. These networks involve a combination of crypto exchanges, blacklisted crypto-mixers, casinos, and organized crime syndicates.
The proceeds of the Lazarus Group’s cybercrime activities have gone toward funding the DPRK’s military programs. Due to U.N. sanctions, the DPRK’s weapons exports had declined dramatically, however, North Korea’s collaboration with Russia appears to have changed this dynamic with Russia’s need for munitions. It is believed North Korea has provided millions of artillery rounds, ballistic missiles, and other weapons to be used against Ukraine. In exchange, it is believed that North Korea received food, raw materials and even fuel in defiance of U.N. Security Council sanctions on oil imports. Russian leader Vladimir Putin even gave North Korean Leader Kim Jong Un a limo as a gift of thanks for their collaboration.
The South Korean Defense Ministry estimates that North Korea has nearly 7K hackers on its payroll, typically organized into teams of 5-10 with specific objectives and estimates that each member brings in $200-300K USD worth of foreign currency a month. The Lazarus Group has targeted the cryptocurrency industry primarily because it has been lucrative and easy to target. Many cryptocurrency companies operate in an unregulated industry, and many startups build applications quickly, focusing on getting to market fast. The speed to market left many open to vulnerabilities in their applications, infrastructure, and processes. Instead of traditional brute force methods or zero-day software exploits, the Lazarus Group targets developers and infrastructure where they can find secrets and keys that would give them access to crypto assets.
In the Ronin breach, the Lazarus hackers compromised validator nodes and private keys to steal crypto assets; the techniques used appear to be primarily the social engineering of developers and not a technical vulnerability. Lazarus has a pattern of targeting developers and development infrastructure where they can access code, credentials, keys, and secrets. Many organizations, particularly startups, may not monitor this type of infrastructure for potential threats, as it is often outside the purview of traditional security teams.
GitHub recently warned of a social engineering campaign targeting developers attributed to the Lazarus Group. The campaign started with messages sent from LinkedIn, Slack, and GitHub to developers to get them to download and execute code with malicious dependencies. In this case, the target was the developer’s systems, when the attackers tried to gain access to code repositories and other applications where access tokens could be compromised, and the attackers could pivot into additional infrastructure.
We recommend assessing the secure configuration and monitoring of tools such as Okta, GitHub, cloud platforms, and other developer tools and platforms your organization uses – mainly if you are in the financial services, cryptocurrency, or cybersecurity industries. It is becoming increasingly important for developers, operations, and security to collaborate and work together to identify risks posed by this new rising threat. One thing we know about cybercrime is that once one actor can monetize a particular method or approach, it quickly becomes a gold rush, and more attackers exploit it.
Join us for a live, hands-on workshop. We will run through a similar threat scenario posed by Midnight Blizzard with actual attacks on identity, code, and DevOps infrastructure. In these workshops, you will learn to leverage detection-as-code to write real-time detections and use a Security Data Lake and purple teaming techniques.
BSides Tampa – Friday, April 5-6
Code-to-Cloud: Securing the Software Supply Chain
Location: BSides Tampa – University of South Florida 4103 USF Cedar Circle, Tampa, Florida
BSides Seattle – Saturday, April 27
Purple Teaming with Detection-as-Code for Modern SIEM
Location: Building 92, 15010 NE 36th St, Redmond 98052, WA