[co-author: Clare Reardon]
This past week the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Treasury (Treasury) released a joint advisory report on HIDDEN COBRA—the cyber threat to cryptocurrency posed by North Korea—and provided mitigation recommendations for addressing this ongoing threat. This report was issued in conjunction with the unsealing of a wide-ranging indictment by the United States Attorney’s Office for the Central District of California that charged three North Korean hackers for their participation in a broad criminal conspiracy to conduct destructive cyberattacks that targeted the financial and entertainment industries, government contractors, and government agencies, including the U.S. Departments of State and Defense.
As explained in the advisory report, North Korea is engaged in state-sponsored malicious cyberactivity that utilizes multiple versions of its “Applejeus” malware to infiltrate, compromise, and raid computer systems involved in the storing or exchange of cryptocurrency. In the past year alone, these programmers utilized the Applejeus malware to conduct cryptocurrency theft from businesses involved in the finance, government, energy, technology, and telecommunications sectors in 30 countries throughout the world, including the United States. For example, the Applejeus malware was among the techniques utilized by the charged North Korean hackers as they attempted to steal more than $1.3 billion in fiat currency and cryptocurrency.
The joint advisory report describes in detail multiple iterations of the Applejeus malware application, which were designed to mirror popular legitimate cryptocurrency wallet and exchange platforms operating on both Windows and Mac operating systems. Often made available to the end-user through phishing, social networking, or social engineering techniques, the Applejeus malware would spread across the computer system upon being downloaded and would provide the hacker with the ability to surreptitiously control, encrypt and remove stored material, including cryptocurrency.
The Applejeus malware continues to pose a serious threat to public and private organizations, particularly financial services companies and exchange platforms that regularly work with cryptocurrency. Therefore, all large businesses, but particularly those in the targeted sectors, should confirm that their cybersecurity teams have reviewed the joint advisory and should determine whether their existing internal security systems are sufficiently sophisticated to identify and block this malware. Should mitigation be necessary, CISA, Treasury, and the FBI recommend numerous compromise and pro-active mitigations, including the following:
- Compromise Mitigations: Organizations that identify Applejeus malware within their networks should contact the FBI, CISA, or Treasury immediately. They also should initiate incident response plans, which should include steps such as generating new keys for wallets, creating new wallets, moving funds out of compromised wallets, using two-factor authentication tools, and reimaging impacted host systems.
- Pro-active Mitigations: the agencies’ recommendations for proactive steps are tailored to the type of business or end-user that potentially could be exposed to the Applejeus malware.
- All Organizations: Organizations should incorporate indicators of compromise (IOCs) identified in CISA’s Malware Analysis Reports into intrusion detection systems and security alert systems to enable active blocking and reporting of suspected malicious activity involving the Applejeus malware.
- Financial Service Companies: Companies in this sector should verify compliance with Federal Financial Institutions Examination Council (FFIEC) handbooks, especially those related to information security, and report suspicious cyber and financial activities as set forth in the guidance.
- Cryptocurrency Businesses: These businesses should verify that they are in compliance with the Cryptocurrency Security Standard and utilize particular vigilance as they repeatedly and successfully have been targeted by the Applejeus malware.
- Cryptocurrency Users: Users should verify the source of cryptocurrency-related applications, use multiple wallets for key storage, use custodial accounts with multi-factor authentication mechanisms for both user and device verification, patronize cryptocurrency service businesses that offer indemnity protections for lost or stolen cryptocurrency, and consider having a dedicated device for cryptocurrency management.
Given that the Applejeus malware was developed and utilized by state sponsored criminal organizations, the threat is almost certain to persist in the future. Therefore, awareness of Applejeus’ malware, in its many evolving iterations, and implementation of the recommended mitigation strategies will be critical to preventing future intrusions.