How a LinkedIn Job Ad Led to the World’s Largest Cryptocurrency Heist

    Cybercriminals will go to enormous lengths to ensure their strategies to steal or extort money are a success. But, as organizations and their employees become increasingly focused on building effective cybersecurity defenses, their adversaries are designing ever more sophisticated strategies to overcome them.

    Take the recent case of Axie Infinity, for example, a blockchain-powered online game with over a million daily users globally. Following a security breach when hackers utilized malware-infected files to access the network of its publisher, Sky Mavis, the company lost almost $620 million in bitcoin – the largest sum currently on record.

    What was remarkable about this incident wasn’t the use of file-based malware to initiate an attack – that has been a highly effective go to cybercrime tactic that organizations struggle to defend against for years. What’s particularly notable in this case was the investment of time and effort on the part of the attackers that went into the delivery of the infected spyware payload.

    In what has since been revealed as an amazing chain of events, North Korean cybercriminals are suspected to have tricked Sky Mavis personnel into believing they could get a new role with a generous income by creating fake job postings on LinkedIn. In the case of one software engineer, the accompanying recruitment process was so convincing they went through numerous fake interviews as part of a plan designed by the hackers to gain access to their employer’s infrastructure.

    As the bogus recruitment process reached the offer stage, the would-be employee received a written proposal from the hackers. According to one media story, the PDF file they were sent was “laced with spyware”, which was activated as soon as the victim opened the attachment. This initiated a chain of events whereby the hackers were able to steal the record-breaking sum, plunging Sky Mavis into a crisis that soon became public.

    If assessments that North Korea was responsible for the attack are true, it could form part of a coordinated strategy designed to boost the finances of the isolated nation. As such, it only serves to complicate the investigation process and any efforts to recover the stolen funds.

    Unfortunately, the theft of bitcoin and other cryptocurrencies is increasingly common. Indeed, the Axie Infinity “heist,” according to a recent analysis, now tops the list of the largest crypto thefts that have been reported globally thus far. In more than 100 documented occurrences, over $2 billion has been stolen so far this year, swiftly approaching the records set last year.

    This story underlines the complex and threats faced by organizations the world over. While the tactics used by cybercriminals frequently vary, what many attacks have in common is that the malware is introduced onto the target network via the simplest of methods – an employee opening an infected file.

    A proactive approach

    But why do organizations find these attacks so difficult to prevent? In many cases, current cybersecurity strategies rely on detection-based techniques to stop malware outbreaks. And while these technologies, such as antivirus and sandboxing solutions, play a vital role in a holistic cybersecurity strategy, they also operate with inherent blindspots that can leave networks vulnerable.

    For instance, zero-day vulnerabilities or exploits are initially unknown to the organizations being targeted and the reactive security solutions that act as a first line of defense. Until software patches are created and antivirus products are updated, there exists a ‘protection gap’ which may last up to 18 days. During this time, zero-day attacks are significantly more effective while antivirus and sandboxing solutions play catch-up with these emerging threats.

    So, what can be done to address the serious security challenges presented by file-based threats when approximately 1 in every 100,000 files contain potentially malicious content?

    For instance, when it is received, 70% of malware found in files is of an unidentified variant, making it invisible to reactive cybersecurity tools. Instead, organizations must adopt a proactive strategy for file security, using approaches such as Content Disarm and Reconstruction (CDR) technology, which instantly cleans and rebuilds files to match their manufacturer’s specifications, eliminating any potential threats.

    In doing so, security teams not only close the protection gap that impacts the integrity of so many networks but it enables them to strike a much more effective balance between the roles played by technology and employee best practice. But, until organizations address the blindspot that file-based threats create, the costs will continue to grow.


    No posts to display