855 sats \ 3 replies \ @final 9 Sep 2023 \ on: What if your threat model does include a nation state ? tech
During a previous job, some people I had worked alongside looked closely into the DPRK's attacks on cryptocurrency services, we had a daily threat intelligence report and dedicated team on threat intelligence as this was in the finance sector.
The DPRK's attacks on cryptocurrency providers in fact weren't very sophisticated, many nation state 'threat actors' with the APT designations or funny names are often unprofessional or aren't substantially unique beyond what their motives are, their toolkit and where they come from. There are some exceptions like the FVEY, or elite branches in Russia/China's government security agencies. However, those groups often conduct attacks to target an individual or make a serious attack to people comparable to their level (like with the SolarWinds / U.S. Government breach or the USA making malicious, persistent hard drive firmware for single targets).
Many threat actors in hostile nations are just younger people committing crime for fun or financial gain and being able to do it consistently and persistently because the nation they are from does not hold them accountable or punish them for doing it. You can compare Russian ransomware groups or Iranian politically motivated hacktivism to the teenagers in the USA who hack a company and post the database on warez forums, with the difference being the westerners actually go to jail. North Korea is a bit different considering their political climate (extremely communist, everyone is in the military) but their capabilities are around the same and lack anything unique because they are stupidly poor country. The North Korean's most damaging attack involved using a leaked American exploit rather than anything original.
North Korea commits cryptocurrency theft by just attacking cryptocurrency exchange platforms and custodians, because the security in most of them suck, and badly. Intelligence reported that it was phishing, and so did other forensics firms publicly. If you look at the targets that North Korea attacked and stole funds from, you'll essentially see that they are all random shitcoin companies most 'crypto' people have probably not heard of, done with no announcement of a zero-day exploit or sophisticated attack:
- 'Pay-to-Earn' Cryptocurrency game Axie Infinity: $625 million - unspecified
- Atomic Wallet, a custodian wallet: around $100 million - done by phishing*
- Alphapo - Payment processor: $23 million.
North Korea attacks cryptocurrency companies not just because they can use the funds they steal to fund illicit activities. The security that these 'crypto' or 'blockchain' companies have are horrendous to the point that they are low-hanging fruit for the North Koreans to actually take advantage of. FTX was one of the largest exchanges when it was active, and had no dedicated cybersecurity team. In fact, many still don't do have it to this day.
Anyways, to answer this:
Users, engineers, researchers, academics and hackers. Companies do little to nothing when it comes to security innovation and it's all down to the people they hire. Companies serve to promote, publicize and make money off of having better security to their competitors only in my opinion. This doesn't mean to say all the big companies have flawed security though, they don't, since they always get to hire the best people.
Projects like Tor, Whonix, Brave, Samourai, GrapheneOS, or even hardware (e.g. Trezor) and commercial software (e.g. Windows) rely heavily on independent research for the progress of their product. If it is not for the groups of people I mentioned putting them to the test or through scrutiny then they wouldn't be leading anything.
You'll find websites that publish security/privacy advice all the time, but if you can't really trust them to keep them up to date, your best bet is to look at what the developers of big security/privacy projects say. A lot of these people are open to talking about the downsides, shortcomings and what needs to be improved on with their work, because they need that criticism to be public to have someone notice it and make a difference.
"North Korea commits cryptocurrency theft by just attacking cryptocurrency exchange platforms and custodians, because the security in most of them suck, and badly."
Yes. This is very true. I enjoyed The Lazarus Heist podcast for a deep dive on all that.
I've toyed around with launching a crypto exchange. Riding the rails of our high assurance and compliant infrastructure we are building out anyway as we go through all the hoops to be a prime US Government contractor with facility clearance etc. Once you have your own proper PKI and K8S, it's amazing how "easy" everything becomes and how low your marginal costs drop. :)
"Companies do little to nothing when it comes to security innovation"
Do you mean end user organizations? Customers of vendors? Or are you referring to the vendors? (I know the blame lies with both). Things like the Zero Day Initiative are a great way to help bridge the gap and allow researchers to research "safely" and organizations to get their act together.
I hang out in /r/netsec and other similar forums.
Thank you for the detailed/principled reply. It's appreciated.
reply
Do you mean end user organizations? Customers of vendors? Or are you referring to the vendors?
Mainly vendors. They'll often drive towards profit and only do what's required or industry standard for their information security or the security of their products - no need to go above since for them that'll just be more costs and less profit. Think the commercialization of products selling security features with special names and marketing frills like 'military-grade' - no innovation when you are doing the same thing as everyone else.
iPhone sells their phone as the most secure when in practice an Android (Pixel) are both extremely similar in their implementations (default disk encryption, private messaging app, permission controls, a secure element etc.), just an example.
Things like the Zero Day Initiative are a great way to help bridge the gap and allow researchers to research "safely" and organizations to get their act together.
A lot of the best results come from groups like this I think. It's likely why Apple and Google (Project Zero) have their own dedicated teams for these things too.
reply
deleted by author
reply