CryptoCore is an attack campaign against crypto-exchange companies that has been ongoing for three years and was discovered by ClearSky researchers. This cybercrime campaign is focused mainly on the theft of cryptocurrency wallets, and we estimate that the attackers have already made off with hundreds of millions of dollars. This campaign was also reported by additional companies and organizations, including JPCERT/CC[1], NTT Security[2] and F-SECURE[3]. The campaign is also known as CryptoMimic, Dangerous Password and Leery Turtle. In this report we attributed this campaign to a specific actor – North Korea’s LAZARUS APT Group, known also as Hidden Cobra.
Read the full report: Attributing CryptoCore Attacks Against Crypto Exchanges to LAZARUS (North Korea)
In this report, we based our attribution with two stages of research:
- First stage– connecting all research documents to the same campaign: a comparative study of all the research documents trying to prove they are all referring to the same campaign.
- Second stage – Attribution to Lazarus: We adopted F-SECURE’s attribution to LAZARUS. Then we reaffirmed this attribution by comparing the attack tools found in this campaign to other Lazarus campaigns and found strong similarities.
Our research shows a MEDIUM-HIGH likelihood that Lazarus group, a North-Korean, state-sponsored APT group, is attacking crypto exchanges all over the world and in Israel for at least three years. This group is has successfully hacked into numerous companies and organizations around the world for many years. Until recently this group was not known to attack Israeli targets.
We would like to thank NTT Security Japan for sharing malware samples with us, and for their feedback on this research.
[1] https://blogs.jpcert.or.jp/en/2019/07/spear-phishing-against-cryptocurrency-businesses.html
[2] https://vblocalhost.com/uploads/VB2020-Takai-etal.pdf
[3] https://labs.f-secure.com/assets/BlogFiles/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf