A North Korean threat actor being called “BlueNoroff,” a subunit of Pyongyang’s Lazarus Group, has been targeting cryptocurrency startups with financially motivated attacks, researchers at Kaspersky have found. The campaign, “SnatchCrypto,” is using malicious documents to gain access to internal communications, then using social engineering to manipulate employees.

“If there’s one thing BlueNoroff has been very good at, it’s the abuse of trust,” Kaspersky says. “Be it an internal bank server communicating with SWIFT infrastructure to issue fraudulent transactions, cryptocurrency exchange software installing an update with a backdoor to compromise its own user, or other means. Throughout its SnatchCrypto campaign, BlueNoroff abused trust in business communications: both internal chats between colleagues and interaction with external entities.”

This campaign is targeting small- to medium-sized cryptocurrency companies, as the attackers know that these companies often lack the resources to defend against sophisticated attacks.

“According to our research this year, we have seen BlueNoroff operators stalking and studying successful cryptocurrency startups,” the researchers write. “The goal of the infiltration team is to build a map of interactions between individuals and understand possible topics of interest. This lets them mount high-quality social engineering attacks that look like totally normal interactions. A document sent from one colleague to another on a topic, which is currently being discussed, is unlikely to trigger any suspicion. BlueNoroff compromises companies through precise identification of the necessary people and the topics they are discussing at a given time.”

Seongsu Park, a senior security researcher at Kaspersky’s Global Research and Analysis Team (GReAT), said that companies of all sizes need to be aware of these types of attacks.

“As attackers continuously come up with a lot of new ways to trick and abuse, even small businesses should educate their employees on basic cybersecurity practices,” Seongsu Park said. “It is especially essential if the company works with crypto wallets. There is nothing wrong with using cryptocurrency services and extensions, but note that it is also an attractive target for APT and cybercriminals alike. Therefore, this sector needs to be well protected.”

New-school security awareness training can give your organization an essential layer of defense by enabling your employees to thwart social engineering attacks.