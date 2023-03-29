Comment on this story Comment Gift Article Share

Below: Huawei is on the Belgian intelligence's watch list, and cyber experts call on CISA to assess maritime equipment security. First:

Below: Huawei is on the Belgian intelligence’s watch list, and cyber experts call on CISA to assess maritime equipment security. First:

Stealing cryptocurrency, cryptomining and money laundering fill the toolbox of a North Korean hacking group

Security researchers examining a North Korean government-linked hacking group turned up a money-laundering scheme that, if not unique, is a bit outside the norm in the eyes of cryptocurrency experts.

In a report out Tuesday, Google’s Mandiant said the hackers were taking stolen crypto and then renting services to help them “mine,” or create, clean digital currency.

My colleague Michelle Ye Hee Lee and I wrote a story about Mandiant’s report on the group, which the company has dubbed APT43. “APT” stands for advanced persistent threat, a term usually associated with government-level sophistication.

We touched on APT43’s usage of cryptomining in that story, and here we’ll dive into it further. Responses from crypto experts about the group’s techniques ranged from “it seems a little odd” to “it’s sort of an old money-laundering type.” Some hadn’t heard of it happening before.

The group

APT43 — known to other cybersecurity firms and government agencies by names like Kimsuky, Thallium and TA406 — has likely been around since 2012, according to the Cybersecurity and Infrastructure Security Agency. It’s focused on cyberespionage, unlike some other North Korean government-connected hackers who are more dedicated to stealing large amounts of cryptocurrency to aid the regime. (North Korea has used the stolen crypto to fund its ballistic missile and nuclear programs, U.N. inspectors have said.)

But APT43 steals cryptocurrency, too. The idea, according to Mandiant, is to use the money to keep operations going — so the hacking operations can be more financially sustainable. It’s more prone to targeting individuals than scoring hundreds of millions from, say, a popular crypto game.

The small size of the thefts “matches what we’ve seen with them using cryptocurrency to pay domain registration fees or rent infrastructure,” Ben Read, head of Mandiant’s cyberespionage analysis, told us. “We haven’t seen sort of the super-big heist.”

Some of those stolen funds pay for “hash rental” or “cloud mining” services, where a customer pays to use someone else’s mining infrastructure. That’s how the hackers get clean cryptocurrency, according to Mandiant.

The practice

Here’s what a couple crypto experts told me about how common the practice is:

“It seems a little odd, but it's not totally odd,” said Steven Gordon , a professor at Babson College who researches blockchains and cryptocurrencies.

“I think it's a sort of an old money-laundering type … in crypto,” said Tom Robinson, chief scientist and co-founder of blockchain analysis firm Elliptic. “We do see proceeds of crime going to cloud mining services. It's been happening since the advent of cryptocurrency, really.”

Whether it’s an effective way to launder money is a different question.

“I would imagine that it's not the best way to launder the money, but it's hard to put myself in their shoes,” Nick Hansen, CEO and co-founder of Luxor, which offers mining services, told me. “There’s always a discount for laundered money. We’ve all seen the movies when people say, ‘'I’m going to take a third for laundering.’ I'm not sure what the going rate is for laundering. It’s hard for me to make a strong statement as to whether it’s efficient or not.”

Stefano Chierici, threat research lead manager at Sysdig, which has done research on crypto mining, told me that “it makes sense.” The hackers “might lose something” if they pay for the services, but if they don’t, “they still have dirty money so they don’t know what to do with it,” he said. “That’s the gamble.”

Elliptic’s Robinson said it is effective “as long as you can be confident that the cloud mining provider isn't keeping records of identities and keeping records of transactions. If they are doing that, then it's a poor way of mining crypto.”

And it makes sense for cybercriminals to be considering the method against the alternatives, according to Gordon. For example, if law enforcement blacklists a particular cryptocurrency wallet after identifying stolen currency, the thinking is that “I've got this dirty crypto, I've got this money in my wallet that I can't use in any other way. And maybe one thing I can do is pay to rent hash power” from an “irreputable” service, he said.

That “irreputable” part is perhaps what makes it a viable technique. Such services “might fall into a regulatory gray area,” Robinson said. It’s a familiar tale in the crypto world.

The keys

Huawei added to Belgian intelligence watch list

Belgium’s State Security Service (VSSE) has put China-based telecom company Huawei under the microscope amid broadening concerns about Chinese espionage in Europe, Politico’s Samuel Stolton and Laurens Cerulus report, citing confidential documents and people familiar with the matter.

VSSE in recent months requested interviews with former individuals involved in Huawei’s Brussels-based lobbying efforts to examine how China is utilizing nonstate actors for advancement of its government’s interests in Europe, the report said.

The decision from Belgian authorities comes amid growing Western worries about the national security impact of China-linked technologies and apps, notably TikTok, as well as foreign influence concerns in Europe following a scandal in which Qatar “sought to influence Brussels through bribes and gifts via intermediary organizations,” Stolton and Cerulus write.

VSSE declined to comment to Politico, and a spokesperson for Huawei said the company was unaware of the interviews.

Hackers can remotely break into Tesla vehicle systems, researchers say

Hackers are able to leverage vulnerabilities to remotely access several functions in a Tesla vehicle, including turning off lights, opening the trunk and changing settings on its infotainment system, Lorenzo Franceschi-Bicchierai from TechCrunch reports, citing findings from security researchers.

“The researchers, who work for security firm Synacktiv, found the vulnerabilities and showcased them at the Pwn2Own conference in Vancouver last week,” Franceschi-Bicchierai writes.

Tesla told the researchers that the vulnerabilities may annoy a driver but would not allow someone to turn the car on and off or steer the vehicle, the report said. However, one of the researchers was not fully confident in Tesla’s assessment, though they could not prove anything further because they lacked full access to a Tesla. The company didn’t respond to TechCrunch’s request for comment.

The story later adds that Tesla plans to roll out patches for the vulnerabilities discovered by the researchers. The researchers also noted that Tesla, overall, does a good job at boxing off systems that prevent attackers from gaining higher privileges to vehicle systems.

Your Cybersecurity 202 host reported in October that as more computer components become embedded into automobiles, the more exposed they become to car cyberattacks.

New report calls on CISA to probe security of maritime equipment

A new report from the Cyberspace Solarium Commission’s successor organization, CSC 2.0, is calling on the Cybersecurity and Infrastructure Security Agency to establish a testing framework for probing the security posture of maritime equipment, John Hewitt Jones reports for FedScoop.

The proposals come in the wake of previous cyberattacks on maritime equipment in Europe, including a ransomware attack on the Port of Lisbon in December, he writes.

The testing capability could mirror a related testing initiative used by the Energy Department for industrial control systems, known as CyTRICS, according to the report.

“Similarly, the [U.S. Coast Guard’s] collaboration with CISA’s National Infrastructure Simulation and Analysis Center could facilitate an OT test bed program to identify potential cybersecurity vulnerabilities in existing infrastructure,” the CSC 2.0 report says.

Secure log off

