North Korean hackers behind DeBridge Finance attack: Co-founder

  • The Lazarus hacker group tried using several team members of the company to launch the attack by sending spoofed emails containing a PDF file named “New Salary Adjustments.”
  • One employee downloaded the file, leading to an attack on its internal system.

The infamous North Korean Lazarus hacker group responsible for several high-profile attacks reportedly made a quick attempt on Debridge Finance. Alex Smirnov, co-founder and project lead at DeBridge Finance disclosed this on Friday.

The company is known for providing cross-chain interoperability and liquidity protocol used for transferring data and assets between blockchains. 

According to Smirnov, the Lazarus hacker group tried using several team members of the company to launch the attack by sending spoofed emails containing a PDF file named “New Salary Adjustments.” It is important to note that spoofed emails are manipulated to look like they came from a trusted source. In this particular attack, the email appeared to have come from the co-founder of the company. 

Smirnov explained that the team members have been taken through basic training on possible attacks.

We have strict internal security policies and continuously work on improving them as well as educating the team about possible attack vectors.

Regardless, one employee downloaded the file, leading to an attack on its internal system. 

Investigation into the attack by the Lazarus hacker group

An initial investigation to know where the attack came from, its purpose, and any possible consequences revealed that the downloaded file was designed to export information to the hackers.

Fast analysis showed that received code collects A LOT of information about the PC and exports it to [the attacker’s command center]: username, OS info, CPU info, network adapters, and running processes.

Smirnov also observed that the attack on Debridge had similar characteristics as another attack posted on Twitter said to have been launched by the Lazarus group.

He cautioned, his followers to not open any email without first verifying the sender’s full name. Also, they should have an internal protocol for how their team share attachment to differentiate from those coming from threat actors. 

According to David Schwed, chief operating officer of blockchain security firm Halborn, this kind of attack is very common. He explained that hackers attempt to take advantage of the inquisitive nature of people to name these malicious files in a way that may get their attention.  Schwed further disclosed that the immutability of blockchain transactions makes blockchain companies the primary target of these types of attacks. 

The Lazarus hacker group is said to be behind the attack on Ronin Network, an Ethereum sidechain used by the play-to-earn crypto game, Axie Infinity. They managed to steal $622 million worth of cryptos, making it the second largest Defi hack to date. The earliest attack of this hacker group date back to 2009 with the FBI labeling them as a “state-sponsored hacking organization”. They were also said to be responsible for the WannaCry ransomware attack in 2017, the breach of Sony Pictures in 2014, as well as several other attacks on pharmaceutical companies in 2020. 

Source