The FBI has warned crypto companies of a wave of sophisticated social engineering attacks by North Korean hackers targeting employees to deploy malware and steal cryptocurrencies.
“North Korean social engineering schemes are complex and elaborate, often compromising victims with sophisticated technical acumen,” the agency said.
According to the FBI, “the scale and persistence” of the aggressive campaign could compromise “even those well versed in cybersecurity practices,” highlighting the severity of the North Korean crypto hacking activity.
North Korean social engineering attacks seriously threaten crypto companies
In six months, the FBI observed North Korean hackers researching various targets related to cryptocurrency exchange-traded funds (ETFs), suggesting they were preparing to launch social engineering attacks.
According to the agency, the social engineering attacks by North Korean hackers pose a serious threat to crypto companies, especially those with “large quantities of cryptocurrency-related assets or products.”
Accordingly, the FBI published a list of tactics, techniques, and procedures (TTPs) and indicators of compromise (IoCs) associated with the North Korean hackers to assist crypto companies prepare for the impending social engineering attacks.
North Korean crypto hacking tactics
The FBI said it detected “Extensive Pre-Operational Research” to identify victims via social media activity, especially on professional networking platforms.
After identifying their victims, the DPRK hackers then incorporate personal details to craft compelling “Individualized Fake Scenarios” such as offers for new employment or corporate investment opportunities.
To build rapport with the potential victims and initiate malware download, the threat actors usually include less-known personal and professional details.
“The actors usually attempt to initiate prolonged conversations with prospective victims to build rapport and deliver malware in situations that may appear natural and non-alerting,” the FBI warned.
“One of the key facts that the FBI details is that the North Korean threat actors are willing to engage in prolonged communication with victims and willing to take the time to fully establish themselves as a trusted individual before providing a scenario in which executing software locally makes sense,” noted Max Gannon, Cyber Intelligence Team Manager at Cofense. “Even many of the highly targeted and advanced APT attacks involve single communications without an established sense of legitimacy making this new wave of attacks particularly notable.”
The malicious actors also communicate in “fluent or nearly fluent English and are well versed in the technical aspects of the cryptocurrency field,” to earn their potential victims’ trust.
Additionally, they impersonate various entities, including known contacts, general recruiters, and prominent people associated with certain technologies. They also impersonate recruiting firms and technology companies using professional websites to increase legitimacy.
North Korean crypto hackers’ IoCs
After creating rapport with their potential victims, the hackers request them to download non-standard applications or execute certain code on company devices. This request should raise alarm for any cybersecurity-conscious employee, highlighting the importance of cybersecurity awareness and training.
They might also request “pre-employment tests” involving debugging or executing Node.js or PyPI packages, scripts, or GitHub repositories.
Similarly, they offer lucrative employment with certain prominent technology or crypto companies, usually with “unrealistically high compensation without negotiation.”
In addition, they might offer unsolicited investment opportunities with prominent companies or individuals, which were not previously discussed or requested.
They also request employees to use “non-standard or custom software” for basic tasks, such as video conferencing or connecting to servers, when such tasks could be completed in widely available applications such as Zoom or FileZilla.
Other IoCs identified by the FBI include requests to “run a script to enable call or video teleconference functionalities” to enable blocked functionality due to the victim’s location or move conversations to other messaging platforms.
Unsolicited contacts with unexpected links or attachments are also the tell-tale signs of established rapport with North Korean crypto hackers, according to the FBI.
“These advanced campaigns are purportedly capable of fooling even technically knowledgeable cybersecurity professionals, however, maintaining a high level of suspicion in online interactions, even of those that seem to be legitimate, can help drastically reduce the risk of compromise,” Gannon added.
Mitigating North Korean crypto social engineering attacks
The FBI recommended various mitigations to thwart North Korean social engineering attacks. They include employees verifying contacts’ identity and rejecting pre-employment tests that require code execution on company devices.
“Even more of the risk of these attacks can be mitigated simply by not performing personal tasks like job interviews or “pre-employment tests” on workplace property,” Gannon continued.
Crypto companies should also avoid storing crypto information on internet-enabled devices and enable multiple authentication (MFA) with mandatory authorization from unconnected entities.
In addition, they should avoid publicly sharing sensitive network documentation, business or product development pipelines, and code repositories.
They should also only “funnel business communications to closed platforms” with authentication, and regularly and physically re-authenticate employees.
Similarly, crypto companies with large cryptocurrency stashes should restrict network-connected devices from downloading and executing code, except whitelisted applications, and disable email attachments.