In a report issued on June 24, ClearSky said the group it calls "CryptoCore" has been active since 2018, primarily targeting exchanges and their partners in Japan and the US, although the activity is said to have decreased in the first half of this year.
CryptoCore is known to have accumulated about $70 million from its thefts but ClearSky estimates that the total exceeds $200 million, according to the report.
ClearSky said it assesses "with medium level of certainty" that the threat actor has links to Eastern Europe, particularly Romania, Russia or Ukraine, although it has no conclusive understanding of the group's origin. The group was described as "not extremely technically advanced, yet it seems to be swift, persistent, and effective".
According to ClearSky, the cyber criminals conduct "extensive reconnaissance" of targeted companies, executives and IT personnel, usually by spear-phishing, in an attempt to gain access to cryptocurrency wallets belonging to either the exchanges or their employees. The Israeli company assessed that it takes between hours and weeks for the spear-phishing email to be sent to a corporate email account of an executive.
"The spear-phishing is typically carried out by impersonating a high-ranking employee either from the target organization or from another organization (e.g. advisory board) with connections to the targeted employee," the report said.
"After gaining an initial foothold, the group’s primary objective is obtaining access to the victim’s password manager account. This is where the keys of crypto-wallets and other valuable assets – which will come handy in lateral movement stages – are stored. The group will remain undetected and maintain persistence until the multi-factor authentication of the exchange wallets will be removed, and then act immediately and responsively."Read more from Cybertech News: