by Feike Hacquebord, Stephen Hilt and Fernando Mercês
Alleged attacks from North Korean actors are a hot security research topic. The infamous Sony Pictures hack in 2014 , for instance, was reported by some to be the work of North Korean threat actors. There is a lot of interest in Lazarus too, which is purportedly a North Korea-linked group responsible for a couple of global bank heists that attempted to steal staggering amounts of money.
In this blog post, we will look into smaller scale attacks in which an actor group allegedly attacked high profile targets working in the energy and transportation sector of South Korea for more than three years in a row. These attacks, which are known as OnionDog, received some publicity in the media. A perfunctory look into these actors’ activities might easily lead to hasty conclusions on attribution. We had a more thorough look, in which we reached an interesting conclusion: OnionDog is not a targeted attack. OnionDog is a cyber drill.OnionDog is a Cyber Drill
OnionDog was first observed in 2013. When it was reported in 2016, it was attributed to be behind attacks on South Korean energy and transportation companies that went as far back as 2013. We know of about 200 unique OnionDog samples. At first sight, it looked like the work of a small but still-significant threat actor group.
A report from the Qihoo 360’s Helios Team has the most detailed analysis of OnionDog. It included indicators of compromise (IoCs) such as hashes of malicious files along with eight specific command-and-control (C&C) IP addresses. The IP addresses are indeed callback addresses for malware-infected computers. Their purpose doesn’t look malicious but merely meant to record which targets fell victim to a cybersecurity drill. We looked up historical domain resolutions of these eight IP addresses and found these:IP Domain Active 188.8.131.52 korea.kr.ncsc.go.kr June 2011―August 2011 184.108.40.206 cyber.ncsc.go.kr June 2011―August 2011 220.127.116.11 drill12.ncsc.go.kr July 2012―August 2012 18.104.22.168 dril113.ncsc.go.kr August 2013 22.214.171.124 drill12.ncsc.go.kr August 2013
Table 1: Historic passive DNS data of hardcoded OnionDog C&C IP addressesIP1 Domain IP1 IP2 Domain IP2 126.96.36.199 None 188.8.131.52 dril113.ncsc.go.kr 184.108.40.206 None 220.127.116.11 korea.kr.ncsc.go.kr
Table 2: Two pairs of OnionDog C&C IP addresses with the same HTTP response in July and August 2014. These responses were unique in historical Internet-wide HTTP scans by Rapid7.
The ncsc.go.kr domain belongs to the National Cyber Security Center (NCSC) of South Korea, indicating the five IP addresses in table 1 belonged to the NCSC of South Korea. Two more C&C IP addresses cited in the report had virtually unique digital fingerprints based on their response to basic HTTP requests. This convinced us that these were controlled by the South Korean NCSC in 2014 too. So seven out of the 8 IPs listed in the report clearly linked back to NCSC at some point in the past. This alone already made us think that the OnionDog samples were related to cyber drills.
We found about 200 files in the wild related to OnionDog, which means the cyber drills’ tools were not contained in a controlled environment. This potentially poses problems―after all, no one wants these methods and tools to become public, especially when they were specifically intended for the drill.
Below are some of the samples belonging to OnionDog:SHA256 Compile Time Hardcoded C&C dbb0878701b8512daa057c93d9653f954dde24a25306dcee014adf7ffff0bdb4 13/08/13 07:47 dril113.ncsc.go.kr f8c71f34a6cfdc9e3c4a0061d5e395ffe11d9d9e77abe1a5d4b6f335d08da130 13/08/13 07:47 dril113.ncsc.go.kr 7564990506f59660c1a434ce1526b2aea35a51f97b8a490353eece18ec10b910 10/10/13 11:35 18.104.22.168 8b91cfd40529b5667bbdab970d8dba05fca0952fffba8ccbb1ad9549d204ba85 10/10/13 11:58 22.214.171.124 e20d0a8e1dec96ed20bd476323409f8f5c09531777207cfeda6b7f3573426104 13/07/14 11:43 dril113.ncsc.go.kr 7461e8b7416bf8878d20a696a27ccf378c93afc6c8f120840c3738b9508839d2 15/07/14 04:43 126.96.36.199 04e87e473d34974874dd0a5289433c95ef27a3405ba9ad933800b1b855e6e21a 15/07/14 04:45 188.8.131.52 caf4b03118e5c5580c67b094d58389ade565d5ae82c392bb61fc0166063e845a 12/08/14 06:52 drill14.kr.ncsc.go.kr 46fb5bcea417d7ff38edff7e39982aa9f89f890a97d8a0218b6c0f96a5e9bad2 12/08/14 06:52 drill14.kr.ncsc.go.kr 1ffa34f88855991bdc9a153e01c9e18074ba52a773f4da390c4b798df6e6dc4e 12/08/14 06:52 drill14.kr.ncsc.go.kr fa5799c25b5ea2ecb24ee982a202e68aad77db7e6b18f37151fa744010f69979 12/08/14 06:52 drill14.kr.ncsc.go.kr 1e926d83c25320bcc1f9497898deac05dff096b22789f1ac1f63c46d2c1c16a7 12/08/14 06:52 drill14.kr.ncsc.go.kr 65d226469d6bdb1e7056864fe6d3866c8c72613b6b61a59547ef9c36eda177dd 10/07/15 11:51 .onion.city domains 0ea456fd1274a784924d27beddc1a5caa4aa2f8c5abdf86eb40637fe42b43a7f 10/07/15 11:51 .onion.city domains b35b7a1b437d5998b77e10fdbf166862381358250cf2d1b34b61cf682157ff19 26/07/16 01:27 .onion.city domains 1e926d83c