The Federal Bureau of Investigation (FBI) has issued a strongly worded Public Service Announcement (PSA) regarding the Democratic People’s Republic of Korea’s (DPRK’s) aggressive targeting of cryptocurrency resources. The PSA comes as state-backed hackers have been observed increasing the persistence, scale, and sophistication of their efforts targeting sectors like cryptocurrency exchange-traded funds (ETFs) over recent months. Thankfully, the FBI also uses its PSA to reveal some of the social engineering tactics and mitigations to be aware of. It explains what to do if you think you’ve fallen victim to the DPRK’s malicious cyber actors.
According to the FBI’s statement, the DPRK’s latest digital onslaught is “complex and elaborate, often compromising victims with sophisticated technical acumen.” Individuals and firms in the decentralized finance (DeFi) industry are now favored targets. However, malicious cyber actors have been observed researching and preparing to focus on targets connected to cryptocurrency exchange-traded funds (ETFs) – so if you work with ETFs, you should be more careful than ever. The DPRK is happy to steal cryptocurrency funds from anywhere, though.
One of the characteristics of this new wave of malicious cyber activity from the DPRK is the extensive research being completed before an attempted heist. For social engineering purposes, the malicious actors will “scout prospective victims by reviewing social media activity, particularly on professional networking or employment-related platforms.” So, watch what platforms you are LinkedOn (ahem), and be sensitive to the depth of details you are communicating and sharing.
In addition to taking their time to cultivate topics and conversations with intended victims, DPRK agents sometimes impersonate people that a victim knows about (e.g., a prominent professional) or knows directly. It seems that those looking for a career move or change may be particularly vulnerable, as the FBI says DPRK agents also commonly impersonate recruitment firms.
Beyond being generally aware of cyber safety, what can you do? Some particular indicators to be wary of include requests to download apps or code, to complete pre-employment tests that involve “executing non-standard or unknown Node.js packages, PyPI packages, scripts, or GitHub repositories,” and receiving unrealistically generous employment or investment offers. Here’s an example of a software engineer who facilitated the loss of $600 million to DPRK hackers after responding to a job offer and filling out an online form.
Suggested mitigations include creating a contact verification methodology before pursuing further communications, securing information about crypto wallets, using multi-factor authentication methods, and more. Many of the mitigations sound like common-tech-sense, but we think it is worth reviewing the FBI’s complete list for anyone.
If the worst comes to the worst and you are reading the FBI’s PSA because you think you or your company have fallen victim to any of the social engineering tactics discussed above, there are several steps you are advised to follow. First, disconnect suspected impacted devices from the internet. Don’t turn them off, though, as the FBI is interested in “access to recoverable malware artifacts.” Next, you are advised to contact the FBI / law enforcement with as many details about the incident as possible.
North Korea is thought to use cryptocurrencies as a way to swerve U.S. sanctions and to fund investments in weapons research and development.