During a recent cyber exercise we uncovered some interesting activity by monitoring traffic going into several hosting partners. Initially we started seeing many TOR and VPN connections from servers so we were not sure of the content. Upon realizing that TOR was being leveraged hide traffic we decided to do what any security team worth their salt would do. We went to our own TOR exit nodes and started searching for connections. Within minutes our TOR nodes started painting a picture of activity and it was not what our analyst expected. You see we were searching for threat actors reported to be from North Korea, some of the code was even notated and made to look like it originated out of the Peninsula. The connections this software was making however told a different story.
While we utilize MISP for our threat intelligence, we don't use the MISP dashboard due to some security concerns we have with how it is implemented so we turned to our Threat Intelligence and Monitoring Platform to see what sense we could make out of the TOR traffic. By pulling in data out of our TOR nodes and exposing the sources, we were able to figure out where the traffic was coming from and who was behind the IOT attacks we were researching.
You can make it look like North Korea, but you can't completely hide when we have trickery up our sleeves also.
The first map we pulled up showed the activity coming from all over the place. Now keep in mind we do see the attacks coming out of Germany but we know who they are, that's a couple dozen compromised host that are being left online for tracking purposes. You see the hotspot?
Now when we filter for just initiated connections we see something even more interesting.
Filtering for sources we find that 20 sources exist. 5 in Germany (Previously mentioned) and 15 in the map above. So even though Russia can put Korean Code in their exploits and code that they are pushing, attribution is easy based on where the connections originated.
Don't get us wrong, the US is the lead when it comes to hacking as far as our data shows but we don't concentrate on the overall statistics but known campaigns.
For more information on this activity please see event our APT category in the Jigsaw Threat Intelligence platform.