HIDDENCOBRA (APT38) Responsible for 100M USD Cyberheist Against Blockchain Provider

Description

Earlier the FBI announced that HIDDEN COBRA (also known as APT38/LAZARUS) is behind the latest cyberheist of 100M against cryptocurrency blockchain provider Horizon Bridge, which is a U.S. based startup owned by Harmony. The assets stolen by Lazarus were cryptocurrency coins - Ethereum, Binance Coin, Tether, USD Coin, and DAI.


HIDDEN COBRA is a state sponsored organization headed by the North Korean government.


What are the Technical Details of this Attack?

HIDDEN COBRA used a combination of targeted attacks, specifically spearphishing campaigns designed to compel a user into unknowingly installing malware. Dubbed TraderTraitor, HIDDEN COBRA used fake recruitment efforts in the cryptocurrency space; using offers and templates designed to entice those working in positions in targeted companies within. They used the AppleJeus malware which was disguised as legitimate cryptocurrency applications. Targets included individuals and companies within the cryptocurrency exchange and financial service sectors.


Who is HIDDEN COBRA/LAZARUS/APT38?

HIDDEN COBRA has been linked to multiple high-profile, financially-motivated attacks in various parts of the world - some of which have caused massive infrastructure disruptions. Notable attacks include the 2014 attack on a major entertainment company and a 2016 Bangladeshi financial institution heist that almost netted nearly $1 Billion (USD) for the attackers. Had it not been for a misspelling in an instruction that caused a bank to flag and block thirty transactions, HIDDEN COBRA would have pulled off a heist unlike any other. Although HIDDEN COBRA failed in their attempt, they were still able to net around 81 million dollars in total.


What Protections are Available?

Fortinet customers running the latest (AV) definitions are protected by the following signatures:

OSX/NukeSped.J

Riskware/AlticGO

Riskware/DAFOM

Riskware/CryptAIS

Riskware/TokenAIS

OSX/NukeSped.AA!tr

W64/Agent.IN!tr

W32/OSX_Nukesped.J!tr.bdr

OSX/NukeSped.J!tr


All network IOC's are blocked by the WebFiltering Client.