‘Cyber group stole $70m. in Israeli cryptocurrency’
Report says total taken was $200m. globally
An as yet unnamed cyber group from Eastern Europe has stolen $70 million from Israeli cryptocurrency exchanges from mid-2018 to the present, Clearsky cybersecurity revealed on Wednesday in a report obtained by The Jerusalem Post.
In addition, the report says that the crypto cyber gang, which Clearsky dubs “CryptoCore,” has robbed cryptocurrency exchanges worldwide of around $200 million, especially focusing on the US and Japan.
According to the report, Clearsky has “been tracking CryptoCore group campaigns for almost two years, with no conclusive understanding of the operators’ origin; however, we assess with medium level of certainty that” the group “has links to the East European region, Ukraine or Russia.”
Clearsky noted that, “cryptocurrency exchanges have become targets for constant attacks… Threat actors of all kinds try to infiltrate corporate networks for reconnaissance, ransomware deployment, and plainly to steal money from those exchanges, specifically from their ‘hot’ (i.e. active, connected) wallets.”
The report said that cryptocurrency exchanges are perceived as less secure from being hacked than banks in general and the SWIFT system.
Further, Clearsky explained that even if “at first it seems easier to track the stolen money through blockchain, identifying and attributing wallets to entities and individuals is generally more difficult.”
Next, the report named the top three attacks against Coinbase, Upbit and Binance, which was hacked at least twice and had its secret identification information leaked.
It discussed attacks carried out by the North Korean group “Lazarus” (aka Hidden Cobra) and the exploitation of vulnerabilities in the Ethereum platform, a cryptocurrency competitor of Bitcoin, in the ultimately unsuccessful attack on Uniswap and Lend.me2.
Elaborating about CryptoCore’s method of operation, the report said that, “the group begins with an extensive reconnaissance phase against the company, its executives, officers and
IT [Information Technology] personnel.”
While the group’s key infiltration method “is usually through spear-phishing against the corporate network, the executives’ personal email accounts are the first to be targeted.”
Next, “it’s a matter of hours to weeks until the spear-phishing email is sent to a corporate email account of an exchange’s executive. The spear-phishing is typically carried out by impersonating a high-ranking employee either from the target organization or from another organization (e.g. advisory board) with connections to the targeted employee.”
After gaining a foothold within the system, “the group’s primary objective is obtaining access to the victim’s password manager account. This is where the keys of crypto-wallets and other valuable assets – which will come handy in lateral movement stages – are stored.”
Moreover, getting that access means that “the group will remain undetected and maintain persistence until the multi-factor authentication of the exchange wallets will be removed,” so it can steal funds.
Curiously, Clearsky said that despite steady activity from mid-2018 through 2020, “Its activity has receded in the first half of 2020, one possible reason being the limitations induced by the COVID-19 pandemic – but it didn’t stop completely.”
An August 2019 report by Clearsky also described some of these trends, including theft from Israeli exchanges, but not with the same scope.
The reports include examples of Hebrew emails tailored to fool Israelis.
Clearsky CEO Boaz Dolev said that, “even though the group does not have advanced capabilities, it acts systematically, over an extended period and integrated with pre-developed intelligence,” which has enabled it to steal massive amounts of funds in Israel and worldwide.
According to Clearsky, the company brings top of the line cyber solutions to top tier companies worldwide, and its cyber intelligence team is dedicated to detecting threats and threat actors, especially those aimed at governments, finance, critical infrastructures and pharma companies.