How did North Korean hacker group Lazarus Group conduct precision APT infiltration attacks?

In the last AMA, there was a simple communication with the @benbybit boss about whether it was a potential APT advanced infiltration attack, and there was no clear determination on whether it was an internal infiltration attack. But if the investigation results are, according to the latest report from Slow Fog, how is the precise APT penetration attack of North Korean hacker group Lazarus Group for exchanges implemented? The following is a simple science logic:

Social Engineering Attack:

1. Hackers first disguise themselves as project parties, investors, third-party partners, etc. to contact the company's developers; (This kind of social work method is very common)

2. Induce employees to run malicious programs on the grounds of debugging code or recommending development and testing tools, market analysis programs, etc.; (There is a possibility of being cheated or reversed)

3. After completing malicious program intrusion, you can obtain remote code execution permissions, and further induce employees to obtain permissions and penetrate horizontally;

Intranet penetration process:

1. Use the intranet nodes with single-point breakthrough to scan the intranet system, steal the SSH keys of key servers, and move horizontally using the whitelist trust relationship to obtain more control permissions and expand malicious program coverage;

2. Through continuous intranet penetration, we will finally obtain the target wallet-related server, and change the back-end smart contract program and multi-signature UI front-end to achieve the change of poles;

Lazarus APT Advanced Persistent Penetration Attack Principle, popular version:

Think of the exchange's cryptocurrency cold wallet as a special vault located on the top floor of a high-end office building.

Under normal circumstances, this vault has strict safety measures: there is a display screen for displaying each transfer information. Each operation requires multiple executives to be present at the same time, and the information on the display needs to be confirmed together (such as " Transfer XXX quantity of ETH to XX address”), and the transfer can only be completed after all executives confirm that it is correct.

However, through carefully planned infiltration attacks, the hackers first used social workers to obtain the "access card" of the building (that is, invading the initial computer). After successfully entering the building, they managed to copy the "office key" of a core developer. (Important permissions were obtained). With this "key", hackers can sneak into more "offices" (permeate horizontal penetration within the system to gain control of more servers).

Finally, I touched the core system that controlled the vault. The hacker not only changed the display program (tampered with the multi-sign UI interface), but also modified the transfer program inside the vault (changed with the smart contract). In this way, when executives see the information on the display, they actually see it. It is false information that has been tampered with, and the real funds are transferred to a hacker-controlled address.

Note: The above is just the usual APT infiltration attack method of the lazarus hacker organization. The @Bybit_Official incident has not yet been finalized and conclusively analyzed, so it is for reference only. Do not take the role!

However, in the end, I would like to give a suggestion to the boss of @benbybit. Safe is a more suitable asset management method that is more suitable for DAO organizations. It only depends on the normal call execution, regardless of the legality verification of the call. There are many better FireBlocks, RigSec and other things on the market. The local internal control system management solution will have better supporting performance in asset security, authority control, operational auditing, etc.