{"id":9112,"date":"2020-06-25T17:13:38","date_gmt":"2020-06-25T14:13:38","guid":{"rendered":"https:\/\/forklog.media\/?p=9112"},"modified":"2020-07-01T14:39:35","modified_gmt":"2020-07-01T11:39:35","slug":"eastern-european-hacker-group-stole-200m-from-crypto-exchanges-via-supply-chain-attack","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/eastern-european-hacker-group-stole-200m-from-crypto-exchanges-via-supply-chain-attack\/","title":{"rendered":"Eastern European Hacker Group Stole $200m From Crypto Exchanges via Supply-Chain Attack"},"content":{"rendered":"<p>Israeli cybersecurity firm ClearSky has <a href=\"https:\/\/www.clearskysec.com\/cryptocore-group\/\">detected<\/a> that the so-called hacker group CryptoCore has managed to steal over $200 million from cryptocurrency exchanges and companies in two years. For the most part, the threat actors\u2014also named by ClearSky as Dangerous Password and Leery Turtle\u2014have been targeting entities located in the United States and Japan.<\/p>\n<p><!--more--><\/p>\n<p>ClearSky has been tracking CryptoCore\u2019s activity since May 2018, concluding that the group is \u201cnot extremely technically advanced.\u201d In the first half of 2020, the hackers\u2019 activity notably declined probably due to the COVID-19 outbreak. Also, the company has not been able to determine the origin of the hacker group, only saying with a medium level of certainty that the group has links to Eastern Europe, particularly Ukraine, Russia, or Romania.<\/p>\n<h2>Impersonating High-Ranking Employees<\/h2>\n<p>CryptoCore reportedly obtains access to crypto exchanges&#8217; corporate wallets or those owned by the exchange\u2019s employees through spear-phishing primarily targeting the executives\u2019 personal email accounts. The threat actors then impersonate high-ranking employees either from the target company or from a related organization with connections to the targeted officer. The report further detailed:<\/p>\n<blockquote><p><b><i>\u201cAfter gaining an initial foothold, the group\u2019s primary objective is obtaining access to the victim\u2019s password manager account. This is where the keys of crypto-wallets and other valuable assets\u2014which will come handy in lateral movement stages\u2014are stored. The group will remain undetected and maintain persistence until the multi-factor authentication of the exchange wallets will be removed, and then act immediately and responsively.\u201d<\/i><\/b><\/p><\/blockquote>\n<p>ClearSky told forklog.media that it started digging deeper into this threat actor during the Incident Response investigation, which led it to a vast and evolving digital infrastructure of the attackers. The company said it would rather leave the attribution of the attacks to the community as this is uncertain and in such cases, less is more.<\/p>\n<p>Stipulating on how cryptocurrency companies, which might be current or future targets of the CryptoCore group, can potentially protect themselves, ClearSky said:<\/p>\n<blockquote><p><b><i>\u201cIn general, in order to mitigate such threats, cryptocurrency exchanges must first be aware of these threats, as well as practicing employee training. In particular, any exchange SOC team has to actively block and hunt CryptoCore digital infrastructure. Deploying heuristics for checking suspicious activity such as a link file (LNK) communicating to a bit.ly link might be a good start.\u201d<\/i><\/b><\/p><\/blockquote>\n<p>ClearSky said that it can not name victims\u2019 names due to the non-disclosure agreement<\/p>\n<h2>Crypto-Related Losses Continue Rising<\/h2>\n<p>According to blockchain analytics and crypto intelligence firm CipherTrace, in the first five months of 2020, the total losses of cryptocurrencies to criminals and scammers <a href=\"https:\/\/forklog.com\/en\/estimated-1-36-billion-in-crypto-lost-to-criminals-in-first-half-of-2020\/\">amounted to $1.36 billion<\/a>. Researches suggest 2020 may bring the second-highest total crypto lost to crime ever observed, the current record being 2019\u2019s $4.5 billion. 98% of the losses were attributed to investment fraud and misappropriation.<\/p>\n<p>A recent study by the business software site Capterra revealed that remote workers have also <a href=\"https:\/\/forklog.com\/en\/zoom-users-fall-victim-to-personal-data-stealing-malware-research-says\/\">become greatly exposed to phishing emails<\/a> during the lockdown, with hackers aiming to steal users\u2019 passwords. Capterra pointed out that \u201cdespite the majority of workers stating they are pleased with working from home, the adoption of security measures still has room for improvement.\u201d<\/p>\n<p><em>Article was edited to include additional comments by ClearSky<\/em><\/p>\n<p><b>Follow us on <\/b><a href=\"https:\/\/twitter.com\/forklogmedia\"><b>Twitter<\/b><\/a><b> and <\/b><a href=\"https:\/\/www.facebook.com\/forklogmedia\"><b>Facebook<\/b><\/a><b> and join our <\/b><a href=\"https:\/\/t.me\/forklogmedia\"><b>Telegram channel<\/b><\/a><b> to know what\u2019s up with crypto and why it\u2019s important.<\/b><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Israeli cybersecurity firm ClearSky has detected that the so-called hacker group CryptoCore has managed to steal over $200 million from cryptocurrency exchanges and companies in two years. For the most part, the threat actors\u2014also named by ClearSky as Dangerous Password and Leery Turtle\u2014have been targeting entities located in the United States and Japan.<\/p>\n","protected":false},"author":6,"featured_media":9113,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"human_written","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[30,1111,43],"class_list":["post-9112","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cryptocurrency","tag-cybersecurity","tag-hackers"],"aioseo_notices":[],"amp_enabled":true,"views":"1304","promo_type":"1","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/9112","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=9112"}],"version-history":[{"count":3,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/9112\/revisions"}],"predecessor-version":[{"id":9174,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/9112\/revisions\/9174"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/9113"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=9112"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=9112"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=9112"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}