Researchers at Palo Alto Networks’ Unit 42 yesterday outlined the activities of the large Monero mining operation they’ve called “WatchDog.” The criminal operation is notable for its longevity, having begun activity in January 2019. Unit 42 assesses WatchDog’s cumulative take at a bit more than 209 Monero (XMR), worth roughly $32,056. It’s a cryptojacking operation, using some four-hundred-seventy-six compromised, non-cooperating systems (mostly Windows or NIX cloud instances) to mine coin.
WatchDog is a nuisance, but its take amounts to petty larceny when compared to the haul Hidden Cobra (the Lazarus Group) has pulled in for North Korea. The US Justice Department yesterday unsealed the indictment of three North Korean operators belonging to that country’s Reconnaissance General Bureau. They’re charged with “conspiring to steal and extort more than $1.3 billion in cash and cryptocurrency from banks and businesses around the world.” The Justice Department also said a resident of Mississauga, Ontario, had been separately indicted for laundering money on behalf of the conspiracy.
This amounts to more than a simple APT side hustle: the theft (done to enrich an impoverished national treasury) was as important as the espionage. US Assistant Attorney General Demers of the Justice Department’s National Security Division, called Hidden Cobra “a criminal syndicate with a flag” as he explained the role indictments play in naming, shaming, and (one hopes) restraining nation-state threat actors.
CISA has issued alerts amplifying its investigation of Hidden Cobra’s AppleJeus malware family, outlining the JMT Trading, Celas Trade Pro, Ants2Whale, and Kupay Wallet tools.