Incident Score: Analysis & Impact (DRI1775442259)

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Phishing: Spearphishing via Service (T1566.003) with high confidence (90%), supported by evidence indicating operatives posing as a quantitative trading firm approached Drift contributors, Supply Chain Compromise: Compromise Software Supply Chain (T1195.002) with moderate to high confidence (80%), supported by evidence indicating malicious VS Code repository shared under guise of vault frontend, and Supply Chain Compromise: Compromise Software Dependencies and Development Tools (T1195.003) with moderate to high confidence (80%), supported by evidence indicating weaponized wallet app distributed via Apple’s TestFlight. Under the Execution tactic, the analysis identified User Execution: Malicious File (T1204.002) with high confidence (90%), supported by evidence indicating exploiting the tasks.json file to execute code upon opening and Command and Scripting Interpreter: PowerShell (T1059.001) with moderate to high confidence (70%), supported by evidence indicating malicious VS Code repository likely executed scripts. Under the Persistence tactic, the analysis identified Create Account: Cloud Account (T1136.003) with moderate confidence (60%), supported by evidence indicating deposited over $1 million into Drift’s ecosystem to build trust. Under the Privilege Escalation tactic, the analysis identified Valid Accounts: Cloud Accounts (T1078.004) with moderate to high confidence (70%), supported by evidence indicating engaging in detailed technical discussions to appear legitimate. Under the Defense Evasion tactic, the analysis identified Masquerading: Match Legitimate Name or Location (T1036.005) with high confidence (90%), supported by evidence indicating operatives posing as a quantitative trading firm, Indicator Removal: File Deletion (T1070.004) with moderate to high confidence (80%), supported by evidence indicating telegram chats and malware were deleted, and Subvert Trust Controls: Code Signing (T1553.002) with moderate to high confidence (70%), supported by evidence indicating weaponized wallet app distributed via Apple’s TestFlight. Under the Credential Access tactic, the analysis identified Compromise Accounts: Cloud Accounts (T1586.002) with moderate to high confidence (80%), supported by evidence indicating iT worker fraud using stolen identities and AI-generated personas and Brute Force: Password Spraying (T1110.003) with moderate confidence (60%), supported by evidence indicating prolonged social engineering campaign to build trust. Under the Discovery tactic, the analysis identified Gather Victim Org Information: Determine Physical Locations (T1591.001) with moderate to high confidence (70%), supported by evidence indicating approached Drift contributors at major crypto conferences worldwide and Gather Victim Network Information: Domain Properties (T1590.001) with moderate to high confidence (70%), supported by evidence indicating detailed technical discussions to appear legitimate. Under the Collection tactic, the analysis identified Data from Information Repositories: Code Repositories (T1213.002) with moderate to high confidence (80%), supported by evidence indicating malicious VS Code repository shared under guise of vault frontend. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (90%), supported by evidence indicating $285 million theft from Drift DEX platform and Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol (T1048.001) with moderate to high confidence (70%), supported by evidence indicating cryptocurrency remains central to North Korea’s revenue streams. Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with moderate confidence (50%), supported by evidence indicating malware execution via tasks.json or weaponized wallet app and Financial Theft (T1657) with high confidence (100%), supported by evidence indicating $285 million theft from Drift in months-long social engineering attack. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.