According to Ripple’s announcement, the firm is sharing high-confidence DPRK threat intel through Crypto ISAC (crypto’s industry Information Sharing and Analysis Center) to assist security teams in transitioning from awareness to action against the increasing number of North Korean cyber criminals infiltrating crypto companies “from the inside out.”
Operation methods of North Korean hackers
The newest wave of attacks has moved from exploiting traditional vulnerabilities to using an even more stealthy method of gaining access via trusted means (harder to detect), using long-term deception, also described as social engineering and recruitment.
One example of this is the Drift hack (which was a major wake-up call). Rather than exploiting a smart contract to gain access to the protocol’s funds, the attackers used a lengthy process of gaining the trust of contributors over several months. During that time, they exploited the trust given to them, thus compromising their devices through malicious software and bypassing traditional indicators of compromise (IOCs).
Nevertheless, some companies/recruiters are already aware of these infiltrating methods and are implementing some, let’s say, “organic,” workarounds to avoid being dragged into deception. There’s a video interview that went viral in April, from a supposed IT worker who was unable to respond to a tricky question. The recruiter asked him if he could repeat “Kim Jon Un is a fat, ugly pig.” After doubting for a moment, the scammer went off.
How DPRK threat intel is handled
The Ripple’s contribution to the threat landscape is also different because of its context; rather than simply providing an individual threat actor’s profile through a typical Information Security Policy (ISP)/Cyber Threat Exchange (CTE), it also contains contextual enrichment and relationships between all the different cyber threat intelligence sources within Crypto ISAC.
For example, the Democratic People’s Republic of Korea (DPRK) IT worker profile shared through Crypto ISAC doesn’t simply contain an individual’s name; it also contains a LinkedIn profile, email address, geographical location, contact number, and correlation with other signals concerning an individual’s connection to a broader campaign. As a result, the context turns a standard data point into actionable intelligence that organizations can share and act across companies.
“Crypto ISAC’s newly updated API represents a meaningful step forward in how intelligence is shared across the ecosystem. As an early adopter, we’ve been working closely with Crypto ISAC to onboard and operationalize new data sources in a way that aligns with our internal workflows. The result is higher-quality, more actionable intelligence that we can integrate directly into our security operations.” – Erin Plante, Director of Brand Security and Intelligence, Ripple.
The Infrastructure Behind the Sharing
Crypto ISAC has launched a new Application Programming Interface (API) designed specifically to express contextually rich, high-confidence crypto data. Ripple, Coinbase, and some other founding members are among the initial users of this solution, which normalizes intelligence across Web2 and Web3 threat indicators, then delivers it in a format built for direct integration into their security operations, easy to use.
According to Crypto ISAC Executive Director Justine Bone, “For too long, information sharing was seen as optional. Today, it is the gold standard for security and Ripple’s action through Crypto ISAC is the definitive proof of concept, showing how to turn shared data into an actionable defense strategy that the entire industry can build upon.”