Operation Troy (Dark Seoul) Threat Assessment

Posted: August 13, 2013 in Computer Security, Cyber Security, Korea
Tags: , , , , ,

In this blog post we discuss whether the perpetrators of Dark Seoul could be classified as an advanced persistent threat, based on the definition and primary characteristics. Furthermore we explore the techniques used and possible advanced techniques that could have been exploited in making the malware more sophisticated.

Advanced Persistant Threats (APTs)

APTs are a class of hackers that are well resourced, persistent, and highly motivated [21]. Their targets have typically been political as the main actors with these resources are nation states and their foreign intelligence services. However there has been a shift towards targeting enterprises with the goal of obtaining intellectual property or industrial espionage, which has led to the idea the involvement of other threat actors such as rival corporations or organized crime. The relationship between different types of adversaries and attack characteristics is illustrated below.

APT_Sophistication_Attack_Surface

Target specific victims

Unlike common malware that have the goal of infecting as many hosts as possible, attacks carried out by APTs are intended for one particular domain or organization. Adversaries usually limit the propagation of their malware to certain networks or systems to keep it contained. As a result the first parts of the attacks will mostly escape detection by national or global scale Computer Security Incident Response Teams (CSIRTs) due to the low profile generated and absence of widespread suspicious network traffic. People would know about the attacks after a major payload had been executed, e.g. sudden spikes in network activity such as by a DDoS.

Develop new and customized malware payloads

In order to increase the probability of success, APTs design customized malware payloads and attack vectors according to their targets. Unpublished Zero-Day exploits remain at the core of APT attacks. A vivid example of this is how an unprecedented 4 Zero-Day exploits were used in Stuxnet. The importance of exploit development was underscored at the 2012 AusCERT conference where Mikko Hypponen mentioned that the fourth largest defense contractor in the U.S., had 137 top secret openings exclusively for exploit developers [22]. This suggests a cyber-arms stockpiling of Zero-Day exploits is underway. Meanwhile an already thriving black market exploit industry is making this commodity accessible to criminal organizations and other parties with prices ranging from $500 – $250,000 [23].

Employ advanced evasion techniques

As the APTs have the objective of infiltrating their targets and remaining undetected for as long as it takes to achieve their goals, evasion techniques are used to hide malware payloads. The methods used vary from obfuscation, network based fragmentation and session splicing, application or protocol violations, disabling intrusion detection systems (IDSs), to more advanced techniques such as encryption and code reuse attacks [24]. In the world of DDoS attacks, an advanced evasion technique could be the usage of distributed, dynamically changing C&C servers. This kind of botnet architecture is very challenging to shutdown and trackdown.

Operate over an extended period of time

APT actors are willing to invest months, if not years in preparation and the actual execution of the attack. The case studies discussed in this paper had execution times varying from eight months to more than three years. After gaining a foothold into the target, the malware can be controlled to remain dormant or propagate laterally through the network until the makers are sure that the right host or intellectual property is found. In the example of Stuxnet, over a period of at least 3 years, the malware was continuously propagated and updated until it reached the PLC’s (Programmable Logic Controllers) of Iran’s enrichment centrifuges.

Exploit vulnerabilities in people

A key characteristic of APT attacks is that the actors take the time to research potentially exploitable people in order to infiltrate their organization. People are often the weakest link in an organization’s security posture and this fact has been exploited for decades since the first phishing attacks. Potential human targets can be found by searching through social networking sites or by simply searching the telephone directory. They could be either employees or contractors of the organization being targeted. The next step would be conducting spear-phishing attacks with the intention of infecting a host or USB storage device. This would become the initial entry point of the attack vector, as demonstrated in Dark Soul, and is a common characteristic found in most APT attacks.

Were the actors behind Dark Seoul an APT?

The methodology used in Dark Seoul follows a pattern commonly used by APT’s, beginning with social engineering, software vulnerability exploitation, escalation of privileges, and post exploitation activities. However upon closer examination of each component, it becomes apparent that most of the malware is dated and lack advanced evasion capabilities. The CVE-2012-1889 vulnerability for example had been public since at least March 2012, giving Microsoft ample time to release a security patch. Moreover, no zero-day vulnerabilities were exploited, creating a much higher chance for detection by anti-viruses and failure in patched systems.

Table1

Comparing Dark Seoul with previous attacks shows that it was technically low in sophistication, yet caused high impact to the organizations affected. One of the intuitive indicators of the low level of sophistication is that it was completely preventable with use of existing technology, software updates, and simple user awareness.

Table2

Nevertheless, to determine whether or not the actors behind the attack are an APT or not, we need to go beyond a preliminary examination of this particular incident. We highlight that the term APT refers to a specific class of adversary, therefore in order to place the people behind this attack under a certain category, we need to look at their history. McAfee described the 2011 attack, as only a “cyber war exercise”. Since we know that Dark Seoul was executed by the same group that attacked South Korea in 2009 and 2011, then yes, the perpetrators can be considered an APT. If the attack was a standalone isolated incident with no indication of who the perpetrator might be, then it was most likely not orchestrated by an APT. Therefore taking into account that North Korea was identified as the party responsible for Dark Seoul, then they definitely can be classified as an APT despite the technical specifics of this attack. As these facts are public information, South Korea is now all the more vulnerable, as even adversaries less capable than APTs also understand the country’s overall cyber security posture and could be motivated launch their own cyber crime activities.

Table3

References:

[21] Command Five Pty Ltd “Advanced Persistent Threats: A Decade in Review,” [online] June 2011, Available: http://www.commandfive.com/papers/C5_APT_ADecadeInReview.pdf (Accessed: 18 April 2013)
[22] ZDNet: Up in cyber arms: AusCERT 2012. http://www.zdnet.com.au/up-in-cyber-arms-auscert-2012-339338008. (Accessed May 18, 2012)
[23] C. Miller, “The Legitimate Vulnerability Market,” in Sixth Workshop on the Economics of Information Security, 2007
[24]  J.A.P. Marpaung, M. Sain, H.J. Lee, “Survey on Malware Evasion Techniques: State of the Art and Challenges” in 14th International Conference on Advanced Communication Technologies, 2012, pp 744-749.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s