朝鲜Lazarus集团通过加密货币黑客攻击牟利30亿美元

Threat actors from the Democratic People's Republic of Korea (DPRK) are increasingly targeting the cryptocurrency sector as a major revenue generation mechanism since at least 2017 to get around sanctions imposed against the country.

来自朝鲜民主主义人民共和国（DPRK）的威胁行为者自2017年以来越来越多地将加密货币行业作为一种主要的收入生成机制，以规避对该国的制裁。

"Even though movement in and out of and within the country is heavily restricted, and its general population is isolated from the rest of the world, the regime's ruling elite and its highly trained cadre of computer science professionals have privileged access to new technologies and information," cybersecurity firm Recorded Future said in a report shared with The Hacker News.

网络安全公司Recorded Future在与The Hacker News分享的一份报告中表示：“尽管进出该国和该国内部的移动受到严格限制，并且其一般人口与世界其他地区隔离，但该政权的统治精英和其经过高度培训的计算机科学专业人员可以特权地访问新技术和信息。”

"The privileged access to resources, technologies, information, and sometimes international travel for a small set of selected individuals with promise in mathematics and computer science equips them with the necessary skills for conducting cyber attacks against the cryptocurrency industry."

“对于一小部分在数学和计算机科学方面表现出色的精选个体来说，他们对资源、技术、信息，有时甚至是国际旅行的特权访问，使他们具备进行针对加密货币行业的网络攻击所需的技能。”

The disclosure comes as the U.S. Treasury Department imposed sanctions against Sinbad, a virtual currency mixer that has been put to use by the North Korea-linked Lazarus Group to launder ill-gotten proceeds.

此披露发生在美国财政部对Sinbad实施制裁之际，Sinbad是朝鲜链接的Lazarus Group用于洗钱非法所得的虚拟货币混合器。

The threat actors from the country are estimated to have stolen $3 billion worth of crypto assets over the past six years, with about $1.7 billion plundered in 2022 alone. A majority of these stolen assets are used to directly fund the hermit kingdom's weapons of mass destruction (WMD) and ballistic missile programs.

该国的威胁行为者据估计在过去的六年里窃取了价值30亿美元的加密资产，仅在2022年就掠夺了约17亿美元。这些被盗的资产的大部分用于直接资助隐士王国的大规模杀伤性武器（WMD）和弹道导弹计划。

"$1.1 billion of that total was stolen in hacks of DeFi protocols, making North Korea one of the driving forces behind the DeFi hacking trend that intensified in 2022," Chainalysis noted in its 2023 Crypto Crime Report.

Chainalysis在其2023年的加密犯罪报告中指出：“这笔总额的110亿美元中，有11亿美元是在对DeFi协议的攻击中窃取的，使朝鲜成为推动2022年DeFi黑客趋势的主要力量之一。”

A report published by the U.S. Department of Homeland Security (DHS) as part of its Analytic Exchange Program (AEP) earlier this September also highlighted the Lazarus Group's exploitation of DeFi protocols.

美国国土安全部（DHS）作为其Analytic Exchange Program（AEP）的一部分，在今年9月早些时候发布的报告中还强调了Lazarus Group对DeFi协议的利用。

"DeFi exchange platforms allow users to transition between cryptocurrencies without the platform ever taking custody of the customer's funds in order to facilitate the transition," the report said. "This allows DPRK cyber actors to determine exactly when to transition stolen cryptocurrency from one type of cryptocurrency to another, enabling attribution to be more difficult to determine or even trace."

报告指出：“DeFi交易平台允许用户在平台不托管客户资金的情况下在加密货币之间转换，这有助于促使转换。” “这使得朝鲜的网络行为者能够准确确定何时将窃取的加密货币从一种加密货币转换为另一种，从而使归因变得更加困难甚至无法追踪。”

The cryptocurrency sector is among the top targets for state-sponsored North Korean cyber threat actors, as repeatedly evidenced by the myriad campaigns carried out in recent months.

加密货币行业是朝鲜国家支持的网络威胁行为者的首要目标之一，正如最近几个月中不断展示的那样。

DPRK hackers are known for adeptly pulling off social engineering tricks to target employees of online cryptocurrency exchanges and then lure their victims with the promise of lucrative jobs to distribute malware that grants remote access to the company's network, ultimately allowing them to drain all available assets and move them to various DPRK controlled wallets.

DPRK黑客以巧妙的社交工程伎俩而闻名，以目标在线加密货币交易所的雇员，然后以提供有利可图的工作的承诺引诱受害者分发能够远程访问公司网络的恶意软件，最终使他们耗尽所有可用资产并将其转移到各种由DPRK控制的钱包。

Other campaigns have employed similar phishing tactics to entice users into downloading trojanized cryptocurrency apps to steal their assets as well as watering hole attacks (aka strategic web compromises) as an initial access vector, alongside engaging in airdrop scams and rug pulls.

其他运动采用类似的钓鱼策略，引诱用户下载特洛伊木马加密货币应用程序来窃取其资产，以及水坑攻击（又称战略性网络妥协），以及进行空投骗局和拉庄骗局。

Another notable tactic adopted by the group is use of mixing services to conceal the financial trail and cloud attribution efforts. Such services are typically offered on cryptocurrency exchange platforms that do not employ know your customer (KYC) policies or anti-money laundering (AML) regulations.

该组织采用的另一种值得注意的策略是使用混合服务来掩盖金融路径并混淆归因努力。这类服务通常在不采用了解您的客户（KYC）政策或反洗钱（AML）法规的加密货币交易平台上提供。

"Absent stronger regulations, cybersecurity requirements, and investments in cybersecurity for cryptocurrency firms, we assess that in the near term, North Korea will almost certainly continue to target the cryptocurrency industry due to its past success in mining it as a source of additional revenue to support the regime," Recorded Future concluded.

Recorded Future总结道：“在缺乏对加密货币公司的更强规定、网络安全要求和投资的情况下，我们评估在短期内，朝鲜几乎肯定会继续以过去在其作为支持政权的额外收入方面的成功作为动力，继续瞄准加密货币行业。”

原文始发于微信公众号（知机安全）：朝鲜Lazarus集团通过加密货币黑客攻击牟利30亿美元