Source: Harsh Whistle
The Federal Reserve’s March meeting statement and press conference speech released last night excited the entire financial market. Of course, the real interest rate cut has not yet come, but it is confirmed that monetary policy will be gradually relaxed this year - Liquidity will soon flow from the banking system to the risk market.
At this time, there are only 30 days left for the Bitcoin halving, and the Bitcoin ETF has opened a channel for liquidity to flow from the traditional financial market into the encryption market. Therefore, it is foreseeable that the bull market in the encryption market has started, and investors are faced with It's just a matter of making more or less.
But the "harsh Whistle" is going to make a piercing whistle here - state-level hacker organizations are eyeing the assets in the crypto market. As an entrepreneur and investor, you must protect your wallet. !
In this issue, we invited our old friend Steven, a communications technology expert who has long been concerned about the security field, to reveal to us how the public enemy of the encryption market, the national hacker organization Lazarus in the mysterious Eastern country, operates, and How can we resist.
1.Beichen: What is a national APT?
Steven: APT is Advanced persistent threat (Advanced persistent threat), in the field of network security, hacker organizations with illegal economic purposes are generally called APT. Legitimate hacker organizations specialize in discovering threats and reporting them to make money. These are called white hats, not APTs.
In our daily lives, we often come into contact with APT indirectly through dark and gray products such as telecommunications fraud. For example, the leaked personal information is often compiled by APT using crawlers or stolen directly from other databases, but this can only be regarded as a small shrimp in APT. Larger APTs such as Golden Eye Dog mainly attack gambling websites, and some target gaming websites.
The highest level APT is the national-level APT, which often attacks others for political purposes. However, most political hacker organizations in most countries cannot be called APTs because they are very loose and they basically launch attacks at the request of someone.
2. Beichen: So only national-level hacker organizations that are well-organized and motivated by political purposes are national-level APTs?
Steven: We can only say thatthe vast majority of national-level APTs have no financial demands and mainly perform espionage missions for political and military purposes strong>. The more powerful ones are Equation Group and Project Sauron, which are affiliated with the US National Security Agency. They mainly launch advanced attacks against Russia, China and other countries to steal sensitive information. Russia is also relatively strong, such as the Fantasy Bear, which is affiliated with the Military Intelligence Directorate of the Russian General Staff, and the Comfort Bear, which is the Russian Foreign Intelligence Service.
The most frequent national-level APT attacks in my country are Poison Ivy, BITTER, SideWinder, Ocean Lotus and Lazarus. Poison Ivy is an APT with an official background in Taiwan, Philodendron and Rattlesnake are from India, and Ocean Lotus is from Vietnam. They often have clear political purposes, so it is easy to expose the organization behind them. Only Lazarus is from It carries out attacks for economic purposes. It belongs to a mysterious country in the East and deserves the vigilance of everyone in the crypto industry.
3. Beichen: So what is the difference between Lazaru and other national APTs?
Steven: Lazarus is the cyber warfare unit of the General Reconnaissance Bureau of a mysterious country in the East, and many members of the organization received advanced training in China. Education or training, so very familiar with China’s Internet environment. The United States has accused the organization of having an activity center in China. In fact, this is unlikely. It is impossible for us to allow an intelligence organization from another country to be active in China, not to mention that its size is probably more than 8,000 people.
4. Beichen: What achievements has Lazaru had?
Steven: Lazarus’s claim to fame was invading Sony Pictures in 2014. At that time, a movie spoofing their leader was about to be released, so a large amount of Sony Pictures' unreleased film materials, business emails, and employee privacy were leaked. In the end, Sony Pictures announced that it had canceled the release of the movie.
Lazarus later attacked more and more frequently, such as stealing the foreign exchange reserves of the Central Bank of Bangladesh, invading Indian nuclear power plants, and attacking cryptocurrency exchanges multiple times. Everyone’s most The most well-known of all is the ransomware ransomwarethat pays ransom with Bitcoin.
5. Beichen: It stands to reason that as long as the assets of the central bank are still in the SWIFT system, they will be frozen. How did Lazarus withdraw the money?
Steven: This is not the first time Lazarus has attacked the central bank system. They have tried to steal central banks and commercial banks in many other countries before, but all failed. In 2016, he attacked the Central Bank of Bangladesh and stole US$101 million in foreign reserves, of which US$20 million went to Sri Lanka and US$81 million to casinos in the Philippines, but most of it was eventually recovered by the United States after being discovered.
6. Beichen: For Lazarus, this money is almost zero cost.
Steven: It’s not zero cost. After all, it’s stealing money from a country’s central bank. They planned it for a long time and used fake accounts, financial intermediaries, casinos and Other parties involved in coordinated crimes.
7. Beichen: So how to determine that these attacks come from Lazarus?
Steven: High-level security companies and relevant government intelligence agencies can determine that it is Lazarus, because there are usually traces of network activities. What's more, their behavior pattern is relatively clear: high level of attack, well-organized, and most of the attacks focus on stealing funds.
8. Beichen: So Lazarus is mainly a revenue-generating unit?
Steven: That’s right. U.S. intelligence agencies estimate that Lazarus steals between $300 million and $500 million in assets each year. What's more critical is that in the past five years, more than 90% of the income of this mysterious country has come from the currency circle, and they are more familiar with the Chinese.
9. Beichen: You can expand on their cases.
Steven: In 2018, US$530 million in cryptocurrency was stolen from the Japanese exchange Coincheck. This was the work of Lazarus.
In 2022, approximately US$1.7 billion in cryptocurrency was stolen (US$1.1 billion of which came from the DeFi protocol), and then used currency mixers such as Tornado Cash to launder the money. It is worth mentioning that the total exports of this mysterious country in 2022 are only US$159 million.
Since the second half of 2023, the frequency of Lazarus attacks in the currency circle has obviously accelerated. For example, in June, $100 million was stolen from Atomic Wallet, and on July 22, two different institutions were attacked on the same day, stealing nearly $100 million in total. On September 4, $41 million was stolen from an online crypto casino. On September 12, $54 million was stolen from the exchange Coin EX.
There are countless other small attacks, because there are also a large number of attacks targeting individual users, which are difficult to count and rarely noticed.
10. Beichen: Is it because Lazarus succeeds frequently because they know crypto better, or is it enough to use traditional attack methods?
Steven: Lazarus’ attack methods are actually more traditional hacker attacks, but the level is relatively high. The most common one is harpoonattack, that is, sending some files (such as emails) without targeting, and then embedding the virus in Inside. Of course, they do know the currency circle very well, so they can make good use of watering hole attacks and social engineering.
A puddle attack is to attack on the path you must pass, just like a predator would hide near a water source and attack animals that come to drink. To carry out a water hole attack in the currency circle, you first attack the project's website and embed specific code on the website. Users will be poisoned as long as they interact with it.
Strictly speaking, social engineering cannot be considered a technical attack. Instead, it uses daily social behaviors and human negligence loopholes to obtain private information and access rights. Social engineering in the currency circle is often the social community where hackers join the project (such as Telegram, Discord) Monitoring and using transaction data to screen out those transactions that are active and have large transactions person, and then send a targeted private message to this person, such as sending an airdrop message. Once the other person opens it, he will be attacked.
A more advanced attack method is to directly infiltrate the project as a code contributor and add attack code.
The projects in the currency circle are basically distributed offices. It is easy for a coder with high technical level and low salary requirements to join the team. When he has certain permissions as a developer, stealing cryptocurrency is A breeze.
11. Beichen: How do they usually disguise their identities when applying for jobs?
Steven: Lazarus has a clear organizational division of labor. Some are responsible for data monitoring, some specialize in social engineering to find targets, some delve into technical attacks, and some People are responsible for laundering money. In short, this is a super large and powerful team dedicated to doing this, and the efficiency is very high.
12. Beichen: So how can we in the currency circle avoid asset theft?
Steven: Give us some examples of Lazarus’ common attack methods in the currency circle.
One is that they use KandyKorn software to attack traders. It targets the Mac operating system, using a python program disguised as an arbitrage robot, and then loading the attack code into the memory of the Mac operating system, but the payload of the attack is hidden and loaded in the Google Cloud Service hard drive. Moreover, the loading action is very covert (the virus source code uses reflective binary loading as an obfuscation technology). This makes the two main methods of anti-virus software ineffective - code signature detection cannot detect attack code, and behavior detection cannot detect abnormal behavioral characteristics.
The other is to implant a SIGNBT payload into the source of encrypted network communication software. After infection, it is equivalent to injecting a full-featured remote access tool into the memory, so that other malicious programs can be run. Any command such as software, external data or even terminating the process is equivalent to the computer being completely controlled by the other party. No matter how well the private key is protected, you only need to sign once and it will be exposed.
Another way is to cut the code into some ordinary applications. For example, it specializes in attacking some companies and open source projects and inserting malicious code to gain the user's entire system permissions. Whether it is Mac or Windows, iOS or Android, Lazarus has corresponding programs. Most blockchain projects use ready-made open source code, so Lazarus injects the code at the very source, making it easy to obtain the permissions of the project side.
There is also the Tampering browser extension. Most people use the MetaMask wallet to receive airdrops or interact with them. When the project website itself is tampered with, it means that everything is related to them. All wallets I have interacted with are no longer safe.
13. Beichen:How is the above attack method carried out?
Steven: Take the case of US$620 million in sidechain Ronin made by Axie Infinity developer Sky Mavis being stolen in 2022.
First, Lazarus knew through social engineering that a Sky Mavis employee was applying for a job, so he falsely set up a Web3 job requirement, conducted a harpoon attack, and sent the offer email to the employee. The employee opened the PDF file and he 's computer was infected, and then sought to infect the computers and servers of other members throughout the Sky Mavis company.
The Ronin project account requires at least 5 signatures from 9 accounts to transfer money because of the multi-signature wallet. The company only manages 4 of the accounts from a security perspective, but there is a DAO community account that has authorized the company. After managing it but not canceling the authorization in time after use, it was broken into by hackers. Finally, all 620 million US dollars in the account were stolen. It took a week for Sky Mavis to discover this.
14. Beichen:Didn’t I say before that when they transfer money, there will be traces on the chain and the Internet?
Steven: First exchange all the stolen digital currencies into ETH through DEX, then collect them into multiple disposable wallets that have been created, and then run Go to the currency mixer (such as Tornado, Sinbad), where the money is laundered into dozens or hundreds of newly created wallets and then transferred out.
So each attack by Lazarus is actually a very heavy workload. A large amount of information must be collected in the early stage, and then the attack code must be developed separately, the wallet address for money laundering must be prepared, and social engineering methods must be used. Perhaps some particularly enthusiastic coders in the project community will contribute code, and they are from Lazarus.
15. Beichen: So for individuals in the currency circle, could you please summarize how to avoid it? I feel that as long as you have a lot of interactions on the chain, there is no way to avoid it.
Steven: The first is to use centralized exchanges. Although this is not in line with the spirit of encryption, it is indeed difficult for most people. Manage your own private key well. Many people may not even manage their own bank accounts well, let alone manage a private key that is impossible to remember, and now everyone often has more than one wallet address.
I think novices with poor computer skills should simply believe in centralized exchanges. After all, even if a legal centralized exchange is stolen, most of the assets can be preserved. For example, the stolen assets of Mt. Gox have been preserved until now.
Beichen: On the contrary, I made more money.
Steven: Yes, at that time Bitcoin was only two to three thousand US dollars, and it was impossible for most people to hold on to it until now. A blessing in disguise.
The second is to pay attention to basic operations, such as new currency airdrops. If you must perform on-chain operations and interact, then use the iOS system as much as possible, and it is best to use a dedicated machine .
The third is Don’t click on unknown attachments when receiving unknown emails. Be wary of people you get close to on social platforms, and don't click on links or emails sent by strangers.
Finally, if there are indeed a lot of assets and on-chain operations are to be performed, it is best to have a hardware wallet, and the cold and hot wallets should be classified and divided into domains, and multiple hardware should be prepared< /strong>(PC, mobile phone)Isolate from each other. The most core assets are placed in wallets with high security levels. Assets that require frequent interaction are prepared in hot wallets and only With a small amount of assets, even if one is stolen, the loss will not hurt your bones.
16. Beichen: Hardware wallets are no longer safe now. For example, Ledger has been embedded with malicious code.
Steven: Yes, but I still recommend using a hardware wallet from a big brand. The threshold for committing evil will be much higher, and even if a loophole is discovered, it will be made up for in time. loopholes.
17. Beichen: Do you have any suggestions for project parties?
Steven: The first is tostrict security disciplines, be security aware, set up a multi-signature wallet, and conscientiously implement all security rules, this will increase the cost of attack.
There is also the need to introduce security teams, such as code review, such as introducing a blue team (i.e. defense team), white hat hackers, and let them provide some address monitoring and security warnings. Doing so is better than not doing so. This is good, because even if it is stolen, you can find the transfer address as soon as possible (after all, money laundering still takes a certain amount of time). If it is discovered in time, it is still very likely to intercept the funds. Rather than discovering that the money in the wallet is missing after a week has passed, it will be difficult to recover it.
18. Beichen: How to intercept assets on the chain?
Steven: Either call the police, or it depends on your connections in the circle. This is why the security team is introduced, because the security team often has such connections. . However, it will be difficult to encounter a national-level APT like Lazarus.
19. Beichen: Currently, the security services in the industry are mainly based on code auditing, and the willingness to pay for other services is not strong.
Steven: Code review is a very basic requirement, which can make it more difficult for small hackers to attack alone, but it is difficult for national-level APTs like Lazarus. Be on guard. So I suggest you find a professional blue team. There are actually quite abundant resources for domestically skilled red teams and blue teams.
20. Beichen: For example, 360?
Steven: To be honest, it is impossible for currency circle projects to hire domestic legal companies to provide security services. You can find security companies in the industry such as SlowMist and CertiK. In fact, through annual network protection operations, you can find blue teams with high scores to be the security team. The strongest ones in the security field are not the largest network security companies, but some small professional teams. You can find this out from the annual red-blue competition.
21. Beichen: Let me make a summary at the end.
Steven: The current currency circle is still a Western world, and government control is rarely involved, so there are a large number of robbery and theft gangs and scammers, regardless of project Fang is still an individual, and the most important thing is that everyone should have this string in their minds and build this fence a little higher, so that even if they encounter a large army like Lazarus, they can still defend against some of his attacks.
JinseFinance
Alex
Sanya
Bitcoinworld
fx168news