Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘DPRK’ Category

KONNI: Malware Campaign Inside Pyongyang

leave a comment »

So the release of the KONNI report by Cisco piqued my interest and so I thought I would look into the data presented and see if there was anything else to be seen. In looking at the malware (samples below) and the C2 involved over the last three years a few things come up about this campaign.

  • The malware evolution is interesting as it started off kinda low-tek and then expanded in scope and in complexity of code by the writers
  • The C2’s mostly seem to be clear of data showing who may own them and or who started the domains and this is rather professional in my opinion.
  • One of the re-directed C2’s can be tied back to an alleged Chinese alias that owns numerous sites and allegedly is in Canada (a.yesadsrv.com) which comes back to yesupinc@yahoo.com as the address used in the domain information
  • The C2’s also cluster in areas where other phishing exploits reside so as to maybe couch them in a constellation of disinformation
  • The documents being used as part of the phish campaign seem to be aimed at English speaking embassy staff with alternate RU campaigns that might be running in parallel (as noted by doc file in sample Talos found in Cyrillic)
  • All the documents look as though they would be common files passed around the embassy set and thus would not be something that would tip off the targets as to their being phish
  • HOWEVER, the documents that are being aimed at these users show that they are low hanging fruit and not savvy to phishing threats because all of these have .scr or other types of file names attached and as such a savvy user would not click on them
  • The campaign has been detected and the malware samples found in open source sites going back to 2015 (see links below) and the 2017 iteration was shown to be in a hybrid-analysis clone run in native Korean language on april 19th 2017.
  • MOST of the infrastructure has been pulled but some of it is still up even today and you can pull down the SYM64.exe but attempts got a 0 byte file

Conclusions:

What all of my digging around has shown me is that this campaign is directed more at DPRK’s embassy set and thus hopefully at the hermit nations traffic in those embassies that may have gotten the phish. The use of English language is of interest to me but I suppose that the assumption is that these documents coming from the UN and other affiliates would be in English and not in Korean. There was one document that was purportedly from China but it also was not in Chinese so there is that too, I would have liked to have seen it translated to Chinese for good measure.

When I looked at the metadata for the document about blowing up NYC with a hydrogen bomb I found that it only had  the name “John” and the date of creation and editing were transposed. I did not do a deep dive into the metadata but maybe later I will. For now though, the document is alleged to have come from an American and concerned “propaganda” so perhaps the email that the document was attached to was an alert for the embassy staff on recent events and timed for added click-ability. This would make a lot of sense to me and I suspect would have more than a few clicks occur to see what it had to say even with .scr in the filename.

I have since been wondering just how much data the hermit kingdom really shares with the embassies that they have around the world. I personally think they would not be of much intelligence use in many respects because Kim does not trust anyone and certainly not anyone not within his immediate reach to disappear. So what kinds of information might the malware get getting from these windows machines within such places? I also have to wonder if any of these documents/malware made their way to Kim and others within the Pyongyang confines and thus maybe onto grey license systems in DPRK itself. I then have to wonder as well what rules may be on their firewalls to let any telemetry get out to the internet proper, as I understand it only a core group have internet access outside the confines of the country.

All of these questions beg another question….

Do we know for sure these were aimed at DPRK embassies/personnel?

Now go with me for a minute here… This kind of information would also be of interest to other groups and countries right? Do we have any telemetry from Talos or elsewhere that the systems infected were in fact in DPRK sites? Do we have email addresses within the phish? I have not seen this information in any of the samples yet so I cannot say for sure that they were the target. If Talos has more maybe they should ya know, tell us all? I for one would be interested to see more on the targeting here because to me, this is all kinda sketch unless you can prove they were the ones opening the stuff.

Say Talos, did you get into that C2 infrastructure and pull some data down on systems compromised?

Come on, you can tell uncle Krypt3ia!

SAMPLES:

Ask for them and we will work out a transfer method

LINKS:

http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.htmlhttp://www.threatcrowd.org/domain.php?domain=phpschboy.prohosts.orghttp://www.threatcrowd.org/domain.php?domain=jams481.site.bzhttps://www.google.com/search?client=ubuntu&channel=fs&q=7640894b9a61e533646067bc542f04f2&ie=utf-8&oe=utf-8https://www.reverse.it/sample/c405fa8f6f5cd50c9bf4d76dad57f6c939bfb0fe95683f239764844dbb13bb91?environmentId=1https://www.hybrid-analysis.com/sample/c405fa8f6f5cd50c9bf4d76dad57f6c939bfb0fe95683f239764844dbb13bb91?environmentId=1&lang=idhttp://www.threatcrowd.org/domain.php?domain=dowhelsitjs.netau.nethttps://www.threatminer.org/sample.php?q=ed759d5a9edb3bba5f48f243df47be29e3fe8cd7https://cdn.securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdfhttp://www.threatcrowd.org/domain.php?domain=pactchfilepacks.net23.nethttps://www.hybrid-analysis.com/sample/94113c9968db13e3412c1b9c1c882592481c559c0613dbccfed2fcfc80e77dc5?environmentId=4&lang=zhhttps://www.hybrid-analysis.com/sample/69a9d7aa0cb964c091ca128735b6e60fa7ce028a2ba41d99023dd57c06600fe0?environmentId=100https://malwr.com/analysis/NWJiY2EwOGE3MjUwNDg1ZjhlZmY0MjdlMzc2MDQzYzc/https://www.virustotal.com/en/url/4b273842b1731390c837c10d9b59e76eb974ac8eeff961c186c64ef3309430f0/analysis/1494269840/https://www.virustotal.com/en/domain/a.yesadsrv.com/information/http://www.threatcrowd.org/ip.php?ip=31.170.160.129

Written by Krypt3ia

2017/05/08 at 20:16

Posted in .gov, .mil, APT, DPRK, Malware, Phishing

DD0S: Posters From Walls To Legitimate Weapon Of War and Its Possible Use Scenarios

leave a comment »

e832ad312e217a0fbcb4fe34c5dc65e1pew pew pew

 

Historical DDoS

Distributed Denial of Service has been the go to tool for the script kiddie and Anonyous over the years but recent developments have shown that this tool may be evolving and maturing with new use by actors within the nation state arena. In fact DDoS has been used before by Russia on Georgia in 2008 and again recently on the attack of the power grid in Ukraine. The types of attacks varied but the end state of denying service to sections of infrastructure have been the same in each of those occasions.

What was once considered to be just a tool for skids is now fast becoming a dangerous tool for other attacks that in tandem with kinetic action, could be the prelude to war or, more to the point, smaller actions that may not lead to the intensity of war by the standard definition by countries like the USA. This blog post contains a set of scenarios that could possibly play out but they are more so thought experiments to show the potential use of a denial of service in hybrid or network centric war that includes information warfare, CNO, and CNE implications.

Recent Events

Directed Attacks on Infrastructure and Defense (Schneier)

In a recent post on his blog, Bruce Schneier alluded to some very directed DoS activity against infrastructure of the internet. He was not really forthcoming with the data but I too had heard of some activity and thus began to ponder who might be carrying out tests of new denial of service tools. His go to on who was carrying out the attacks was China, which was a poor choice in my opinion and wrote an off the cuff retort here. I believe that another actor is afoot in that one and as you read below that actor is DPRK. I think this for many reasons that I will cover later.

In any case, the attacks have been systematic and show planning in a way that alludes to a desire to take out large areas of the internet and or command and control systems for the nation(s) that would degrade our abilities to fight a war, carry out daily business, or just surf the web. Of course the former is the most important and likely the aegis here rather than the latter for this adversary.

Krebs

Another event that has taken place in rapid succession to the attacks on infrastructure was the DDoS of Brian Krebs website after he outed a company that performs DDoS as a service in Israel. This attack for the most part appears to me to be revenge for the takedown he was part of, but he has over the years managed to piss off many of the skidz out there today so the list of names grows exponentially there. What struck me though in this attack was that the tool used was then burned by it’s one time use on Brian. If this actor were someone within the space of nation state, they would not want to burn the tool so to speak.

In fact, post the hubbub of the determination that the tool in question leveraged a botnet consisting of IoT devices (Internet of Things) the author dumped his code online because within days he already was seeing his output diminish because ISP’s were cleaning up their acts and denying access to insecure IoT devices and telnet sessions that had default creds. With this revelation it leaves the tool up for use to some, upgrades to others, but overall it is burned as tools go for surprise attacks. Of course the tool’s DDoS is carried out by GRE packets which is a hard one to stop. If others find new sources of bots for the botnets then the tool once again can be fired and take down the targets pretty readily, so there is that.

South Korean Router Hack

The Yonhap News agency recently put out a report stating that the ROK military had suffered an attack on a ‘Vaccine Routing Server’ at their cyber command in Seoul. I am still not sure what a vaccine routing server is other than perhaps a bad translation from Korean to English but if it is in fact a router, then this attack could further a DDoS quite well. Of course this attack if carried out the right way, could be just like the OVH attack that leveraged traffic directly through to the back end of the OVH infrastructure. This type of attack would be devastating on any network. If in fact the OVH attack was another “test” of another, as yet un-named tool, then leveraging such a router compromise on the ROK cyber command by DPRK would be the next best thing to just dropping a missile on the building, which would likely happen right after the DDos begins in a lightning war.. But I digress.

Tactical Use

So with all of these things in mind, I would like to next discuss the tactical use of DDoS in a hybrid warfare scenario. In the cases earlier stated with Russia, both types of denial of service were used in differing capacities. In Georgia, they used the DoS to cut off the country’s communications both internally and externally leaving them dark the rest of the world. In the case of the recent attack in Ukraine they did not use the common tactic of DoS by packet, instead they used a phone DoS on the helpdesk at the power company as well as other tricks like attempting to re-write the firmware in the ICS/PLC environment so that the power would stay down after the attack. Both of these attacks plainly show the value of this type of attack but below I will go into the thought process behind their use.

Deny, Degrade, Disrupt & Psyops

DoS of any kind’s main goal in a warfare sense is to deny access and communications, degrade access and communications, and disrupt access & communications. These primary goals have sub goals of slowing the adversary, denying the adversary, and disrupting their abilities to respond to attacks. If you carry out these denial of service attacks on communications lines for say military command and control (C4ISR) then you are effectively blinding the enemy and or disrupting their ability to respond and prosecute a war.

Years ago an example of this was carried out in Syria by Israel when they attacked a radar station electronically and allowed their jets to make it through unseen by the air defense of the country. This operation (Orchard) leveraged this electronic attack to destroy a nuclear facility before it went live. In certain situations these attacks also can have the added benefit, or even the main goal, of prosecuting a PSYOP (Psychological Operations) on the affected country by destabilizing their networks (public and mil) and sow distrust of the infrastructure as well as cause pandemonium. I will write further on the PSYOPS angle below in one of the scenarios.

Signal To Noise

In some cases a DdoS can be used to distract an adversary while you are attacking a specific asset(s) in a hack. This type of activity has been seen in some of the Chinese activity in the past. This type of attack is quite successful as the IR teams are otherwise engaged in trying to mitigate being offline, it is easy to miss a certain network or device that may still be connected and being attacked. With the masses of data being aimed at the defenses it is easy to miss the attack within the deluge of bad data.

Scenarios

Scenario One: Core Infrastructure Attacks on ROK and USA

With the attacks on infrastructure mentioned above, and the ROK Cyber Command attack on a “router” this scenario concerns a “short war” which is the favored type of warfare by the DPRK. In this attack the following happens:

  1. DPRK launches a DDoS of some kind(s) on ROK and US assets to disrupt C4ISR
  2. DPRK engages their rocket batteries just outside of the DMZ with a three minute flight time to Seoul
  3. DPRK launches other forces and attempts to overtake ROK

It is within the nature of DPRK to attempt this kind of attack because it is doctrine for them, they have nothing to lose, and they would aim to deny, degrade, and disrupt ROK’s allie, the US with the types of attacks we have seen recently with the GRE packet attacks. Of course there would have to be other maneuvers going on and other attacks within the spectrum, but this attack vector would be easy enough for DPRK to leverage in a kinetic hybrid war scenario.

Additionally, the use of DDoS by DPRK is a natural fit because of the lack of infrastructure within the hermit kingdom. If DPRK were to leverage DDoS like the GRE elsewhere, it could easily do so because of the aforementioned lack of connectivity as well as the norms today for warfare do not really cover DDoS (yet) as a type of attack that would require a kinetic response. DoS and DDoS are the perfect asymmetric cyber warfare tool for DPRK and I for one would not be surprised to see in the near future, it’s use by them in scenarios like these.

Directed Attacks In Concert on US Elections

The following scenario concerns the upcoming US election and the possible use of DoS/DDoS as a tool to sow mayhem during the process. Russia seems to be actively tampering with the US electoral process in 2016 through direct means by way of hacking and cyber warfare tactics. However, this attack could be just as easily leveraged by DPRK or anyone else. I am using Russia in this instance because it is October and, well, you all have seen the news lately right?

  1. Russia attacks the internet infrastructure within the united states to deny and degrade access large scale
  2. Russia attacks polling places connectivity either by the larger DoS or direct action against polling places and the electronic voting machines connection to upload results

The net effects of these types of attacks on the voting systems on the day of the election would have these potential effects on the process:

  • Insecurity and fear that the US is under attack
  • Insecurity and mistrust of the electoral process through electronic means
  • Not all voting systems have the paper backup so counting ballots would be null and void in some areas
  • Re-counts would occur
  • The parties (Dem and Rep) specifically in this heated election race would demand redress on the systems being corrupted by possible hacking attacks
  • Election results could be null and void

This scenario is quite possible and it does not have to be fully successful technically to actually be successful as an attack. The net effect of PSYOPS on the American process and people would already be carried out and in effect. Given this election cycle’s level of crazy, this one would be very hard to control and not have it spin into disarray. It does not take a lot to throw a monkey wrench into an already contentious election where persistent October surprises from hacked data are being splayed across the scrolling bars of CNN.

 

cuxaygnwoaaafku

Actors

With all the scenarios laid out, it is important to now cover the two actors and circle back to the events recently concerning DDoS. In Bruce’s piece he immediately went to the old stand by that; “China did it” I however do not agree with this assessment and the reasons are due to the nature of the actors and their motivations. Rational actors versus irrational actors are key points to consider when you are trying to attribute an attack like these recent attacks. All of this is speculative to start, so please bear that in mind with the attribution I make. (see dice above) For all I know these attacks could all just be cyber criminals seeking to hawk their “booter” service.

Who’s to say really?

DPRK

Per the assessments of CSIS and other experts on DPRK there is not much to go on in the way of hard data on cyber capabilities and actions from North Korea. However, they do have patterns of behavior and doctrine that has been smuggled out of the country in the past. The use of asymmetric attacks that take very little resources would fit perfectly with the DPRK’s desires and modalities. As mentioned above also, this type of attack would fit well with their “short war” stratagem.

screenshot_2016-10-03-17-49-19

 

screenshot_2016-10-04-08-01-21

North Korea under Un has shown a willingness to use cyber warfare tactics in attacks like Sony and understands they have nothing to use by leveraging them. Sanctions are not going to work on them even with the pain they may cause. The same can be said for attacks like DDoS, there is a low threshold to entry and use and they have a large asymmetric win in the eyes of DPRK. I would recommend that you call click the link at the top of this post for the CSIS paper on DPRK’s cyber capabilities and structure.

Russia

Russia is another animal altogether. Russia plays the game brashly but most of the time very smart. In the case of DDoS use we have already seen them leverage it in tandem with kinetic warfare and do so with success. Their recent use of it as a digital stick on Ukraine as well show’s that they are not afraid to use the attack in their back yard. However, use of it against other nations might be a bridge too far in some cases. The scenario I have laid out though with regard to the nations elections in November 2016 is quite plausible and the burden of proof that the DoS was carried out by Russia or a proxy would be hard to prove in an international court.

Another aspect of this scenario is just how far of a response would the US take if such attacks happened? With attribution being what it is, how would the country respond to an attack of this nature and what good would it do if the process is already tampered with? This scenario is mostly a PSYOP and once again, the damage would have been done. With Putin’s recent aggressive moves (re-forming the KGB and now walking away from the nuclear treaty) it is not beyond the scope of possibility that his penchant for disruption would win out.

Russia is a rational actor and this would be a rational attack. Imagine if by an attack of this kind it tips the election in favor of Trump?

Scary.

Conclusion

The DDoS attacks that have been happening recently do show that something is afoot. That something is coordinated and is being used to target key aspects of the net as well as DIB partners. What the end goal is and who is doing it all is still a mystery, but, these scenarios above are just as valid as once again pointing at China and yelling “THEY DID IT!”

Maybe something will happen in the near future…

Maybe not…

Either way, one should consider the adversaries who might be at play.

K.

UPDATE: Evidently I am not the only one who is thinking along these lines… The Daily NK had an article come out the same day, thanks to @JanetInfosec for the tip! According to this article they are assessing that on or near 10/10/2016 DPRK may attack ROK with electronic/hacking attacks as well as perhaps more launches of provocation.

 

Written by Krypt3ia

2016/10/04 at 21:14

Posted in CyberWar, D0S, DD0S, DPRK, Pooty Poot, PsyOPS, Russia

Tagged with ,

GREAT LEADER’S FACEBOOK LITE!

leave a comment »

Screenshot from 2016-06-03 08:56:40

This is what happens when I don’t pay attention. I TOTALLY missed this story about Andrew McKean’s logging into an ersatz DPRK facebook clone! Welp, I have gone back in time with Mr. Peabody and have found more goodies on this site that is no more. One has to wonder just who in Pyongyang thought this was a good idea. I kind of wonder if it was anyone there in Pyongyang but instead someone found a vulnerability and decided to fuck with Un. Either way, MUCH derp and schadenfreude ensued!

The site is a standard php version of a Facebook clone by phpdolphin

<div class=”footer-languages“> Copyright &copy; 2016 Our social network. All rights reserved. Powered by <a href=”/web/20160527183053/http://phpdolphin.com/” target=”_blank“>phpDolphin</a>.

I have to also wonder about the standard use of English as the primary language on the site and not Korean at all. Perhaps it was just the default for phpdolphin but I would assume it’d be easy enough to change that. Anyway, the site went up May 27th but the domain has been registered since 2009. A look with Mr. Peabody showed nothing there before for all the way back to the beginning of time

Screenshot from 2016-06-03 10:06:51

Screenshot from 2016-06-03 10:36:18

So either this was a big joke or it was a real honest to god thing that Un was allowing? Was it some hipster in Pyongyang with nothing to do at the local internet cafe? Was it someone in the hacking community laying a savage burn on Un and the DPRK? We may never really know but I for one wonder just how Un is reacting. I mean, shit, look what they allegedly did to Sony over a shitty movie right? Is there some kid in a DPRK gulag now because he decided to Punk Un?

 

Screenshot from 2016-06-03 10:07:28

Using the wayback I was able to see all the users on there and get shots of their pages. I gotta say I really wish I had been in the know because I would have set up a ROCKIN Team America page!

Can you imagine it?

America-fuck-yeah-t-shirt

My god what piels of laughter would have been maniacally coming from my office. Oh well.. Missed my chance… For now… Anyway here are the other users I found.

 

Screenshot from 2016-06-03 10:09:36

Crotch grabber!

Screenshot from 2016-06-03 10:09:22Iran got in on that action right quick!

 

Screenshot from 2016-06-03 10:09:06LOVE that photo

 

Screenshot from 2016-06-03 10:08:45

BAAAAAAHAHAHAHAHAHAHA random marketing script guy!

Screenshot from 2016-06-03 10:08:20

WAIT.. PRIMORIS ERA IS THAT YOU? WAIT. NO. IT’S ROBIN SAGE!

 

Screenshot from 2016-06-03 10:06:24

Rando Muslim guy… wait.. Is that you Packetknife?

Screenshot from 2016-06-03 10:06:14

Dis guy..

Screenshot from 2016-06-03 10:47:11

Screenshot from 2016-06-03 10:06:04

Roberta, you vixen you. LOOK YOU GOT KIM TO SAY HI!!!!

 

Screenshot from 2016-06-03 10:05:49

jkoebler I SALUTE YOU!

You have the most epic of the profiles other than Un himself man. The flag and Star Spangled Banner!!! DUDE you planted the flag on the digital Everest here man!

Screenshot from 2016-06-03 10:05:37

Yet another rando Middle Eastern guy it seems…

Screenshot from 2016-06-03 10:53:15

Last but certainly not least is Kim Jung Un himself! Who evidently studied at the Zoolander School for Kids Who Can’t Read So Good!

 

I am going to lean toward this being an EPIC troll or a troll of opportunity. I honestly can see that maybe something was left open on the box, someone sussed it out, and decided to go all @DPRKNEWS on this. To those who did this I salute you. For all you Anon’s out there, JESUS FUCK YOU MISSED OUT! This is the kind of merciless motherfuckery you should be pulling!

Ps.. If any of you out there did this and wanna say hey feel free to drop me a line here anonymously and gimme more details.

EPIC!!!!

Your move Un.

K.

 

Written by Krypt3ia

2016/06/03 at 14:58

Posted in DPRK

ASSESSMENT: DPRK Networks and CNO Capacities

leave a comment »

Screenshot from 2014-01-17 13:14:57

DPRK INTERNET AND INTRANET:

As the DPRK under Kim Jung Un has been poking the global bear lately with threatening faxes I thought it was time to re-approach the CNE/CNO/CNA capabilities that they have and gut check against the hype in the news cycle. As there has been talk of cyber attacks allegedly carried out by the DPRK against at least the South, one has to wonder just what kind of connection the North actually has to the global internet. As it turns out the DPRK has a class B  (175.45.176.0 – 175.45.179.255) address space that is ostensibly outwardly facing to the global internet. Inside the country though the fiber intranet is closed off to the external internet for the most part save for those eleets deemed important enough to have it. The gateways for this internet connection are sourced out to the Chinese mainland (China Unicom/ Star JV/ Loxley Pac) and are most likely located in southern China. This however has not stopped certain people actually downloading from Bittorrent  this last year so we know that a certain amount of people actually do have access that goes to the internet directly from Pyonyang which was a bit of a surprise for me at first but then you look at the small area from which they are coming from and you see it is a very small subset of people accessing the net to pirate movies. The masses though who have access to a computer are relegated to the Kwangmyong network that they can only access through the “Red Star OS” that the DPRK has special made for them to use. This intranet is from all reports, more like a BBS than the internet and consists of very little content and certainly not anything revolutionary (both technically and literally) I have downloaded a copy of Red Star and will be putting it in a sandbox to play with and report on at a later date.

 

Screenshot from 2014-01-22 14:28:49

Pirating:

Screenshot from 2014-01-22 14:41:14WHOIS for DPRK

 

DPRK Internet Accessible sites:

Root Zone File

Root Hint File

Screenshot from 2014-01-22 15:06:02http://pust.kr/

Screenshot from 2014-01-22 15:07:35

Uriminzokkiri a facebook like service located outside of the DPRK zone

Screenshot from 2014-01-22 15:11:46

uriminzokkiri.com WHOIS

DPRK CNO, CNA & CNE:

There seems to be some cognitive dissonance concerning the capabilities of the DPRK where network warfare is concerned. As seen below in the two snippets of articles either they have nothing much in place because they are focusing more on nuclear technologies or they are creating a master group of hackers to attack the US and South Korea. I for one think that the truth lies somewhere in the middle in that I know that fiber has been laid and that the eleet and the military both have access to the internet for their own purposes. That the connection is routed through a satellite ostensibly (mostly) shows just how disconnected the regime wants to be to insure their power consolidation. Though there is a single “internet cafe” in Pyongyang, it must be noted that it only serves network traffic to the intranet that they have created. I have to wonder though if perhaps somewhere within that infrastructure lies unknown dark spots where the government may not have as much control as they would like.

On the topic of cyber capabilities, the report said North Korea probably has a military computer network operations capability. North Korea may view computer network operations as an appealing platform from which to collect intelligence, the report added, and the nation has been implicated since 2009 in cyberattacks ranging from computer network exploitation to distributed denial of service attacks.

In assessing North Korea’s security situation, the report said, “North Korea continues to fall behind the rising power of its regional neighbors, creating a widening military disparity and fueling its commitment to improving asymmetric and strategic deterrent capabilities as the primary guarantor of regime survival.”

Tensions on the Korean Peninsula have grown as relations between North and South Korea worsen, the report noted. North Korea has portrayed South Korea and the United States as constant threats to North Korea’s sovereignty in a probable attempt to legitimize the Kim family rule, its draconian internal control mechanisms and existing strategies, the report said.

“The regime’s greatest security concern is opposition from within,” the report added, “and outside forces taking advantage of internal instability to topple the regime and achieve unification of the Korean Peninsula.”

North Korea seeks recognition as an equal and legitimate international player and recognized nuclear power and seeks to normalize its diplomatic relations with the Western world and pursue economic recovery and prosperity, the report said.

“[North Korea’s] rhetoric suggests the regime at this time is unlikely to pursue this second goal at the expense of the primary goal of pursuing its nuclear and missile capabilities,” the report added.

DOD Report: North Korea Still Critical U.S. Security Threat

North Korea has the highest percentage of military personnel in relation to population than any other nation in the world, with approximately 40 enlisted soldiers per 1000 people with a considerable impact on the budge of the country.  Don’t forget also that North Korea has capabilities that also include chemical and biological weapons.  A defector has declared that North Korea has increased its cyber warfare unit to staff 3,000 people and it is massive training its young prodigies to become professional hackers.

The large cyber force responds directly to the command of the country’s top intelligence agency, the General Reconnaissance Bureau. Last year in internet have been published satellite photos of the area that is suspected to host  North Korea’s ‘No. 91 Office’, a unit based in the Mangkyungdae-district of Pyongyang dedicated to computer hacking, its existence was revealed in a seminar on cyber terror in Seoul.

According the revelation of Army General James Thurman, the commander of US Forces Korea, the government of Pyongyang is massive investing in cyber warfare capabilities, recruiting and forming high skilled team of hackers to be engaged in offensive cyber operations against hostile government and in cyber espionage activities.

In more than one occasion the North Korea has threatened the South promising waves of attacks, and the cyber offensive option is the most plausible considering the advantage in terms of efficiency, noise and political impact.

North Korea’s electronic warfare capabilities are second only to Russia and the United States…

Increasing concerns on cyber warfare capabilities of the North Korea

So when the question of CNO/CNA/CNE comes up with many here in the rest of the world it is all pretty much a guess as to what the answer truly is. Of course I would love to know what the NSA knows about that internal infrastructure. I suppose that the NSA, with all of the revelations of late, probably has(d) entre into the intranet from hardware that had been spiked with surveillance tech. Overall the picture from using nmap and other technologies shows that the infrastructure outside looking in, without backdoor access to China Netcom systems, is pretty blank from an information warfare perspective. The sites that are sitting out there that are live are flat but if one were to r00t one what would the acl’s be like one wonders. DPRK has spent a lot of time hardening and walling themselves off but nothing ever is 100% secure. With all the talk about their DD0S attacks against S. Korea though and the bank hack (2013) there have been some leaks that lead us to believe that they do use that .kp IP space for access to their malware C&C’s. In the case of the bank hack this last year the malware was beaconing to an IP within their internet facing space surprisingly. For the most part though the attacks that have been perpetrated by the DPRK have been through proxy addresses (S. China etc) so as to have some plausible deniability.So short of some leaking of intelligence on DPRK and their internal fiber networks it’s pretty much still a black hole or maybe more apropos a giant darknet of their own and we cannot see inside.

中国黑马: 

Speaking of Darknets I just wanted to touch on this idea for a bit. One wonders just what CNA/CNO the DPRK might be carrying on with regard to TOR nodes and the use of the darknet. I should think an interesting study might be tracking IP’s from Southern China to see where much of that traffic is being routed through TOR nodes. I think that this could be a real untapped subject for study to date. If the eleets have access to not only the internet through INTELSAT/Chinacom and MAC OSX boxes then perhaps some of them are actually routing traffic through proxies like TOR to cover their own censorship arcology? Can you imagine that Un doesn’t have high speed SAT connection through INTELSAT so he can surf unencumbered? What about certain high ranking intelligence and military people as well? It surprises me that I am not seeing more in the darknet from the DPRK itself as well. Of course this would, even with it being on TOR or in a proxied hosted system, a dangerous game to have any kind of truth telling coming directly out of Pyongyang. Still though, I would love to see this happen as well as perhaps some incursion into the intranet by someone adding a rogue SAT feed and a router. Presently I have seen reports about how former DPRK escapee’s have been smuggling in DVD’s, Net-Top PC’s and Netbooks over the Chinese border and giving them to people. The thrust of this idea is to bring Western movies and media to the DPRK as a subtle form of mental malware. I would push that further and create a new darknet within their dark fiber network.

ANALYSIS:

When one sIn the final analysis, the DPRK has connectivity that is very limited in scope and in actual use. The eleet few have access to the outside world while the rest have a very controlled intranet that is full of propaganda and surveillance. When one starts talking about their capabilities for cyber warfare you have to take what is usually said with a grain of salt or a whole shaker. The fact of the matter is that much is still not known about their capabilities outside of perhaps the NSA and certain people in the IC. From the attacks seen to date we have seen much activity out of China that could also be dual purpose attacks for DPRK as well. Since much of their CNA/CNE capabilities and training has come out of (literally) China one has to assume that not every China hack is just for China or originating from them. For that matter, it is entirely possible that traffic we have all seen coming from S. Korea could in fact be proxy attacks from the DPRK as well for plausible deniability. My feeling though is that the DPRK is still getting it’s unit’s together and building capacities and is not a clear and present danger to the world from any kind of cyber warfare scenarios. DPRK uses the aggrieved and angry squeaky wheel approach to diplomacy cum bullying on the world stage and is not suited for sneaky cyber war just yet. Also cite the fact that if you poll the likes of Crowdstrike or Mandiant you will not see too many (if any at all) attacks or campaigns being designated to DPRK actions. Now why would that be?

K.

 

 

Written by Krypt3ia

2014/01/22 at 21:41

Digital Kinetic Attacks: South Korean DD0S Botnets Have “Self Destruct” Sequence

leave a comment »



From McAfee Blog

There has been quite a bit of news recently about distributed denial of services (DDoS) attacks against a number of South Korean websites. About 40 sites– including the Presidential, National Intelligence Service, Foreign Ministry, Defense Ministry, and the National Assembly–were targeted over the weekend, beginning around March 4 at 10 a.m. Korean time. These assaults are similar to those launched in 2009 against sites in South Korea and the United States and although there is no direct evidence connecting them so far, they do bear some similarities.

DDoS attacks have occurred with more and more frequency, but one of the things that makes this attack stand out is its use of destructive payloads. Our analysis of the code used in the attack shows that when a specific timezone is noted by the malware it destroys the infected computer’s master boot record. If you want to destroy all the data on a computer and potentially render it unusable, that is how you would do it.

The malware in the Korean attacks employs an unusual command and control (C&C) structure. Instead of receiving commands directly from its C&C servers, the malware contacts two layers of servers. The first layer of C&C servers is encoded in a configuration file that can be updated at will by the botnet owner. These C&C servers simply provide a list of servers in the second layer, which will provide additional instructions. Looking at the disbursement of the first-layer C&Cs gives us valuable insight into the malware’s global footprint. Disbursement across this many countries increases resilience to takedowns.

The rest HERE

At first, the idea of a digital kinetic attack to me would be to somehow affect the end target in such a way as to destroy data or cause more down time. These current attacks on South Korea’s systems seems to be now, more of a kinetic attack than just a straight DD0S. Of course one then wonders why the bot-herders would choose to burn their own assets with this new type of C&C system and malware. That is unless the end target of the DD0S is just that, one of more than one target?

So the scenario goes like this in my head;

  • China/DPRK work together to launch the attacks and infect systems also in areas that they would like to do damage to.
  • They choose their initial malware/C&C targets for a secondary digital kinetic attack. These systems have the potential of not only being useless in trying to trace the bot-herders, but also may be key systems to allies or the end target themselves.
  • If the systems are determined to be a threat or just as a part of the standard operation, the attackers can trigger these systems to be rendered (possibly) inert with the wipe feature. This too also applies to just going after document files, this would cause damage to the collateral systems/users/groups

Sure, you burn assets, but at some point in every operation you will likely burn at least one. So doing the mental calculus, they see this as a win/win and I can see that too depending on the systems infected. It is not mentioned where these systems (C&C) were found to be, but, I am assuming that they were in fact in China as well as other places around the globe. This actually steps the DD0S up a level to a real threat for the collateral systems.

Of course the malware here does not physically destroy a drive, it is in fact just rendering it useless (potentially, unless you can re-build the MBR AND you zero out the data on board) as you can see from this bit of data:

The malware in its current incarnation was deployed with two major payloads:

  • DDoS against chosen servers
  • Self-destruction of the infected computer

Although the DDoS payload has already been reported elsewhere, the self-destruction we discussed earlier in this post is the more pressing issue.

When being installed on a new computer, the malware records the current time stamp in the file noise03.dat, which contains the amount of days this computer is given to live. When this time is exceeded, the malware will:

  • Overwrite the first sectors of all physical drives with zeroes
  • Enumerate all files on hard disk drives and then overwrite files with specific extensions with zeroes

The service checks for task files that can increase the time this computer is allowed to live, so the botmaster can keep the botnet alive as long as needed. However, the number of days is limited to 10. Thus any infected computer will be rendered unbootable and data will be destroyed at most 10 days after infection! To protect against tampering, the malware will also destroy all data when the system time is set before the infection date.

The malware is aware enough to see if someone has tampered with the date and time. This sets off the destruct sequence as well, but, if you were able to stop the system and forensically evaluate the HD, I am sure you could make an end run and get the data. Truly, we are seeing the next generation of early digital warfare at this scale. I expect that in the near future we will see more nastiness surface, and I think it highly likely in the post stuxnet world, that all of the players are now thinking in much more complex terms on attacks and defences.

So, let me put one more scenario out there…

Say the malware infected key systems in, oh, how about NASDAQ. Those systems are then used to attack NYSE and suddenly given the order to zero out. How much kinetic warfare value would there be to that?

You hit the stock market and people freak

You hit the NASDAQ systems with the compromise and then burn their data

Ouch.

Interesting times….