How does the North Korean hacker group Lazarus Group conduct sophisticated APT penetration attacks?

In the last AMA, I had a brief discussion with @benbybit's boss about whether it was a potential APT advanced penetration attack, and did not clearly conclude whether it was an internal penetration attack. But if the investigation result is, according to the latest report of SlowMist, how did the North Korean hacker organization Lazarus Group carry out a sophisticated APT penetration attack against the exchange? Below is a simple explanation of the logic:

Social Engineering Attacks:

1) Hackers first contact the company's developers by pretending to be project owners, investors, third-party partners, etc. (this type of social engineering method is very common)

2) Induce employees to run malicious programs by using the excuse of debugging codes or recommending the development of testing tools, market analysis programs, etc. (it is possible that they were deceived or subverted)

3) After the malicious program is hacked, it can obtain remote code execution permissions, and further induce employees to obtain privilege escalation and lateral penetration;

Intranet penetration process:

1) Use the intranet node with a single point of breach to scan the intranet system, steal the SSH keys of key servers, and use the whitelist trust relationship to move laterally, obtain more control permissions and expand the coverage of malicious programs;

2) Through continuous intranet penetration, the target wallet-associated server is eventually obtained, and the backend smart contract program and multi-signature UI front-end are changed to achieve substitution;

Lazarus APT advanced persistent penetration attack principle, popular version:

Think of an exchange’s cryptocurrency cold wallet as a special vault located on the top floor of a premium office building.

Under normal circumstances, this vault has strict security measures: there is a display screen to show the information of each transfer, and each operation requires multiple executives to be present at the same time, and they need to confirm the information on the screen together (such as "XXX amount of ETH is being transferred to XX address"). Only after all executives have confirmed that it is correct can the transfer be completed.

However, the hacker first obtained the building's "access card" (that is, hacked into the initial computer) through a carefully planned penetration attack, and after successfully entering the building, he managed to copy the "office key" of a core developer (obtaining important permissions). With this "key", the hacker can quietly sneak into more "offices" (perform lateral penetration within the system and gain control of more servers).

Finally, the core system that controls the vault was discovered. The hacker not only changed the display screen program (tampered with the multi-signature UI interface), but also modified the transfer program inside the vault (changed the smart contract), so that when the executives saw the information on the display screen, they actually saw tampered false information, and the real funds were transferred to the address controlled by the hacker.

Note: The above are just the usual APT penetration attack methods used by the Lazarus hacker group. There is no final and conclusive analysis report on the @Bybit_Official incident, so it is only for reference and do not take it personally!

However, I would like to give a suggestion to @benbybit boss in the end. Safe is an asset management method that is more suitable for DAO organizations. It only cares about normal call execution and does not care about the legality verification of the call. There are many better local internal control system management solutions such as FireBlocks and RigSec on the market, which will have better supporting performance in terms of asset security, permission control, and operation auditing.