Russia tries to disappear after attacks...

During a recent cyber exercise we uncovered some interesting activity by monitoring traffic going into several hosting partners. Initially we started seeing many TOR and VPN connections from servers so we were not sure of the content. Upon realizing that TOR was being leveraged hide traffic we decided to do what any security team worth their salt would do. We went to our own TOR exit nodes and started searching for connections. Within minutes our TOR nodes started painting a picture of activity and it was not what our analyst expected. You see we were searching for threat actors reported to be from North Korea, some of the code was even notated and made to look like it originated out of the Peninsula. The connections this software was making however told a different story.

While we utilize MISP for our threat intelligence, we don't use the MISP dashboard due to some security concerns we have with how it is implemented so we turned to our Threat Intelligence and Monitoring Platform to see what sense we could make out of the TOR traffic. By pulling in data out of our TOR nodes and exposing the sources, we were able to figure out where the traffic was coming from and who was behind the IOT attacks we were researching.

You can make it look like North Korea, but you can't completely hide when we have trickery up our sleeves also.

The first map we pulled up showed the activity coming from all over the place. Now keep in mind we do see the attacks coming out of Germany but we know who they are, that's a couple dozen compromised host that are being left online for tracking purposes. You see the hotspot?

Now when we filter for just initiated connections we see something even more interesting.

Filtering for sources we find that 20 sources exist. 5 in Germany (Previously mentioned) and 15 in the map above. So even though Russia can put Korean Code in their exploits and code that they are pushing, attribution is easy based on where the connections originated.

Don't get us wrong, the US is the lead when it comes to hacking as far as our data shows but we don't concentrate on the overall statistics but known campaigns.

For more information on this activity please see event our APT category in the Jigsaw Threat Intelligence platform.

#Hacking #Russia #ActivityReport #IOT


Contact: (800)447-2150 Ext. 1        To contact Jigsaw simply send a message in our chat window!

  • Facebook - Black Circle
  • Twitter - Black Circle

© 2017-2018 Jigsaw Security Enterprise Inc.

Jigsaw Security Enterprise Inc is a SDVOSB - Service Connected Disabled Veteran Owned Small Business Jigsaw Security is an operator of WIMAX networks and is operating under license WQVC235 as a common carrier, non-common carrier and private communications operator. Jigsaw Security operates cable and satellite services. Courses may be provided by a third party authorized training partner in some cases. Some training is only available for cleared and US Citizens. Courses approved by the North Carolina Department of Public Safety Private Protective Services Board for licensing and CE credits. JPM program insurance is provided by an authorized Jigsaw Security Insurance Partner and is not underwritten by Jigsaw Security. For insurance information please contact our JPM program manager. Jigsaw Security operates a network through our NCBroadband brand.