Interview | Beichen
Guest | Steven
The public statement and press conference of the March meeting of the Federal Reserve last night have invigorated the entire financial market. Of course, the actual interest rate cut has not yet arrived, but it is certain that this year's monetary policy will gradually relax—liquidity is about to flow from the banking system to the risk market.
With Bitcoin halving only 30 days away, and the Bitcoin ETF opening the channel for liquidity to flow from traditional financial markets into the crypto market, it can be foreseen that the bull market in the crypto market has started, and investors are only facing the question of whether to earn more or less.
However, "The piercing Whistle" here needs to sound a piercing alarm—national-level hacker organizations are eyeing the assets in the crypto market, and as entrepreneurs and investors, you must guard your wallets!
In this issue, we have invited our old friend Steven, a communication technology expert who has long been concerned with the security field, to uncover the archenemy of the crypto market—how the national-level hacker organization Lazarus from a mysterious Eastern country operates, and how we should defend against it.
1. Beichen: What is a national-level APT?
Steven: APT stands for Advanced Persistent Threat, and in the field of cybersecurity, illegitimate hacker organizations with economic motives are generally referred to as APT. Legitimate hacker organizations specialize in discovering threats and reporting them for profit, known as white hats, and would not be called APT.
In our daily lives, we often indirectly encounter APT through telecommunications fraud and other illegal activities. For example, the leaked personal information is often organized by APT using web crawlers or directly stolen from other databases, but this can only be considered small-scale within APT. Larger APTs, such as GoldenEye, mainly target gambling websites, and there are also some that target gaming websites.
The highest level of APT is national-level APT, often launched for political purposes. However, most national political hacker organizations cannot generally be called APT because they are very loose and are basically initiated by someone before launching an attack.
2. Beichen: So only tightly organized and politically motivated national-level hacker organizations are considered national-level APT?
Steven: It can only be said that the vast majority of national-level APTs do not have economic motives and mainly execute espionage missions for political and military purposes. The more powerful ones are the Equation Group and Project Sauron, which are affiliated with the US National Security Agency, mainly targeting Russia, China, and other countries to steal sensitive information. Russia also has a strong presence, such as the Fancy Bear affiliated with the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation and the Cozy Bear of the Russian Foreign Intelligence Service.
The most frequent national-level APT attacks in our country are Poison Ivy, BITTER, SideWinder, Ocean Lotus, and Lazarus. Poison Ivy is an APT with official background in Taiwan, BITTER and SideWinder are from India, and Ocean Lotus is from Vietnam. They often have clear political purposes, so the organizations behind them are easily exposed. Only Lazarus conducts attacks for economic purposes, is affiliated with a mysterious Eastern country, and is worthy of vigilance by everyone in the crypto industry.
3. Beichen: So what sets Lazarus apart from other national-level APTs?
Steven: Lazarus is the cyber warfare unit of the General Reconnaissance Bureau of a mysterious Eastern country, and many of its members have received higher education or training in China, so they are very familiar with China's network environment. The United States has accused the organization of having operational centers in China, but this is unlikely, as we would not allow an intelligence organization from another country to operate within our borders, especially considering its size, which is probably over 8,000 people.
4. Beichen: What are Lazarus's achievements?
Steven: Lazarus's claim to fame was the invasion of Sony Pictures in 2014. At the time, a parody movie about their leader was about to be released, so they leaked a large amount of unreleased film materials, business emails, and employee privacy from Sony Pictures, ultimately leading to the cancellation of the movie's release.
Subsequently, Lazarus's attacks became more frequent, such as stealing Bangladesh's foreign exchange reserves, infiltrating Indian nuclear power plants, and multiple attacks on crypto exchanges, with the most well-known being ransomware paid in Bitcoin.
5. Beichen: In theory, as long as the assets of central banks are still in the SWIFT system, they will be frozen. How did Lazarus manage to withdraw this money?
Steven: This was not Lazarus's first attempt to attack central bank systems; they had previously attempted to steal from many other central banks and commercial banks, but without success. In 2016, they attacked the Bangladesh central bank and stole $101 million in foreign reserves, of which $20 million flowed to Sri Lanka and $81 million to casinos in the Philippines, but most of it was eventually recovered after being discovered by the United States.
6. Beichen: For Lazarus, this money was almost costless.
Steven: It was not costless, after all, it was stealing from a country's central bank, and they had planned for a long time, and used fake accounts, financial intermediaries, casinos, and other accomplices in the crime.
7. Beichen: How can we determine that these attacks are from Lazarus?
Steven: High-level security companies and relevant government intelligence agencies can determine that it is Lazarus because network activities generally leave traces, and their behavior patterns are quite distinct: high-level attacks, tight organization, and the majority of attacks are primarily for stealing funds.
8. Beichen: So, is Lazarus primarily a revenue-generating unit?
Steven: That's right. According to US intelligence estimates, the assets stolen by Lazarus each year are approximately three to five billion US dollars. What's more critical is that over 90% of the income of this mysterious country in the past five years has come from the crypto industry, and they are more familiar with the Chinese.
9. Beichen: Can you elaborate on their cases?
Steven: In 2018, the Japanese exchange Coincheck was robbed of $530 million in cryptocurrency, which was the work of Lazarus.
In 2022, they stole about $1.7 billion in cryptocurrency (of which $1.1 billion came from DeFi protocols) and then laundered the money using mixers like Tornado Cash. It is worth mentioning that the total export volume of this mysterious country in 2022 was only $159 million.
Since the second half of 2023, Lazarus's attacks in the crypto industry have noticeably accelerated. For example, in June, they stole $100 million from Atomic Wallet, and on the same day, July 22, they attacked two different institutions, stealing nearly $100 million in total. On September 4, they stole $41 million from an online crypto casino. On September 12, they stole $54 million from the exchange Coin EX.
There are countless other small-scale attacks, as there are a large number of attacks targeting individual users, which are difficult to quantify and rarely receive attention.
10. Beichen: Lazarus has been successful frequently, is it because they understand crypto better, or is traditional attack methods sufficient?
Steven: Lazarus's attack methods are actually quite traditional hacker attacks, but at a high level. The most common is spear phishing attacks, where files (such as emails) are sent without specificity, and viruses are embedded within. Of course, they are also very familiar with the crypto industry, which allows them to effectively use watering hole attacks and social engineering.
A watering hole attack is an attack on your essential path, much like a predator hiding near a water source to attack animals that come to drink. In the crypto industry, a watering hole attack involves attacking the project's website, embedding specific code on the website, and anyone who interacts with it becomes infected.
Social engineering, strictly speaking, cannot be considered a technical attack, but rather a means of using everyday social behaviors and exploiting human negligence to obtain private information and access permissions. In the crypto industry, social engineering often involves hackers joining the social communities of projects (such as Telegram, Discord) to monitor, using transaction data to identify those who are active in trading and have large transactions, and then targeting these individuals with personalized messages, such as sending a fake airdrop message, which, once opened, leads to an attack.
A more advanced attack method is to directly infiltrate the project as a code contributor, thereby introducing attack code.
Most crypto projects operate in a distributed manner, making it relatively easy for a highly skilled and low-salary developer to join the team. Once they gain developer access, stealing cryptocurrency becomes effortless.
11. Beichen: How do they typically disguise their identities when applying for positions?
Steven: Lazarus's organization has clear divisions of labor, with some responsible for data monitoring, others specializing in social engineering to find targets, some researching technical attacks, and others handling money laundering. In short, this is a super-powerful team dedicated to this work, and their efficiency is very high.
12. Beichen: So how can we in the crypto industry avoid having our assets stolen?
Steven: Let me give a few examples of common attack methods used by Lazarus in the crypto industry.
One method is using the KandyKorn software to attack traders. It is designed for the Mac operating system, where a Python program masquerades as an arbitrage bot, and the attack code is loaded into the memory of the Mac operating system, with the payload hidden in the Google Cloud service disk, and the loading action is very discreet (the virus code uses reflective binary loading as a obfuscation technique). This renders both code signature detection and behavior detection ineffective.
Another method is to implant the SIGNBT payload at the source of encrypted network communication software, effectively injecting a full-featured remote access tool into the memory, allowing the execution of other malicious software, data exfiltration, and even termination of processes, essentially giving the attacker full control of the computer. Even if the private keys are well protected, once a signature is made, the information is exposed.
Another method is to insert code into some ordinary applications. For example, specifically targeting companies and open-source projects and inserting malicious code to gain full system permissions from users, whether it's Mac or Windows, iOS or Android, Lazarus has corresponding programs. Since many blockchain projects use ready-made open-source code, Lazarus injects the code at the source, making it easy to gain access to the project's permissions.
There is also tampering with browser extensions. Many people use the MetaMask wallet for airdrops or interactions, and if the project's website itself is compromised, all wallets that have interacted with it become insecure.
13. Beichen: How are these attack methods carried out?
Steven: Let's take the example of the 2022 theft of $620 million from the Ronin sidechain developed by Sky Mavis, the developer of Axie Infinity.
First, Lazarus used social engineering to learn that an employee of Sky Mavis was job hunting, so they falsely set up a Web3 job position and conducted a spear phishing attack, sending the job offer email to the employee. When the employee opened the PDF file, their computer was infected, leading to the infection of other computers and servers within Sky Mavis.
The Ronin project account required at least 5 out of 9 multi-signature wallets to sign for a transfer, and the company only managed 4 of the accounts for security reasons. However, there was a DAO community account that had been authorized by the company but was not promptly deauthorized after use, and it was breached by hackers. The entire $620 million was stolen, and it took a week for Sky Mavis to discover the incident.
14. Beichen: But wouldn't there be traces of the stolen money on the blockchain and the internet?
Steven: First, the stolen cryptocurrency is converted to ETH through a DEX, then aggregated into pre-established one-time wallets, and finally run through mixers (such as Tornado, Sinbad) to wash the money into dozens or even hundreds of newly created wallets before being transferred out.
So each of Lazarus's attacks actually involves a lot of work, collecting a large amount of information, developing attack code, preparing money laundering wallet addresses, and using social engineering methods. It's possible that some particularly enthusiastic developers in the project community are actually from Lazarus.
15. Beichen: So, what are some ways for individuals in the crypto industry to avoid this? I feel like as long as you interact on the blockchain, it's unavoidable.
Steven: The first option is to use centralized exchanges, even though it goes against the spirit of crypto. Many people find it difficult to manage their private keys, and some people may not even manage their bank accounts well, let alone remember an impossible-to-memorize private key. Additionally, most people have multiple wallet addresses.
I think it's best for novices with poor computer skills to trust centralized exchanges, as even if they are hacked, most of the assets can be preserved. For example, the assets stolen from Mt. Gox have been preserved to this day.
Beichen: They might even earn more.
Steven: Yes, at that time, when Bitcoin was only two or three thousand dollars, most people couldn't have held onto it until now, so it could be considered a blessing in disguise.
The second option is to pay attention to basic operations, such as new coin airdrops. If you must interact on the blockchain, it's best to use the iOS system and have a dedicated device.
The third option is to not open attachments from unknown emails. Be cautious of people who are overly friendly on social platforms, and do not click on links or emails from strangers.
Finally, if you have a significant amount of assets and need to interact on the blockchain, it's best to have a hardware wallet, and cold and hot wallets should be tiered and separated, with multiple hardware devices (PC, mobile) isolated from each other. The most critical assets should be stored in a high-security level wallet, and for assets that require frequent interaction, prepare some hot wallets with only a small amount of assets. Even if one is compromised, the loss will not be significant.
16. Beichen: Even hardware wallets are not safe now, for example, Ledger was embedded with malicious code.
Steven: That's true, but I still recommend using hardware wallets from reputable brands, as the threshold for malicious activity is much higher, and even if vulnerabilities are discovered, they are promptly addressed.
17. Beichen: Do you have any suggestions for project teams?
Steven: The first is to strictly adhere to security discipline, have security awareness, set up multi-signature wallets, and diligently follow all security guidelines, as this will increase the cost of attacks.
Another suggestion is to introduce a security team, such as code audits, and bring in a blue team (defense team), white-hat hackers, to provide address monitoring and security alerts. It's better to do something than nothing, because even if assets are stolen, finding the transfer address in a timely manner (since money laundering still takes time) can prevent a significant loss. It's much harder to recover assets if a week has passed before discovering that the wallet is empty.
18. Beichen: How can blockchain assets be intercepted?
Steven: Either report it to the authorities, or rely on your connections within the industry. This is why it's important to have a security team, as they often have such connections. However, if you encounter a national-level APT like Lazarus, it becomes very difficult.
19. Beichen: Currently, security services in the industry mainly focus on code audits, and there isn't strong willingness from project teams for other paid services.
Steven: Code audits are a basic requirement and can increase the difficulty of attacks by individual hackers, but it's difficult to defend against national-level APTs like Lazarus. So I recommend finding a professional blue team. There are actually quite a few resources for skilled red and blue teams in China.
20. Beichen: Such as 360?
Steven: To be honest, crypto projects cannot hire legitimate companies in China to provide security services. You can look for companies like SlowMist, CertiK, which are security companies within the industry. By participating in annual security competitions, you can find the blue teams with high scores to form a security team. The strongest in the security field are not the largest cybersecurity companies, but rather some specialized small teams, as you can see from the annual red and blue team competitions.
21. Beichen: Finally, could you provide a summary?
Steven: The crypto industry is still like the Wild West, with little government regulation, leading to a large number of robbery and fraud groups. Whether it's project teams or individuals, the most important thing is for everyone to be vigilant and raise their guard, so that even when facing a large-scale attack like Lazarus, some of their attacks can still be prevented.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。