Tuesday, December 23, 2014

Copycat Hacks Becoming Commonplace

While Government experts have pointed the finger at North Korea in the recent attack of SONY. We are still not convinced. The reason we are not convinced lies in the OSINT-X data we have archived and analyzed, the malware used in the attack and the similarities of an earlier attack on South Korean banks. One thing is for sure that the Government is not an OSINT-X customer at this time although we have had contact and interest in the product for other uses within the DOD. The FBI probably could use the system to help them in this type of case but as of yet they have not requested access or a stand alone system at any of their locations even though we have offered in the past.

One thing stinks in this whole North Korea blame game. There are misspellings in some of the code used in the first attack and the second attack does not show the same signs. We find it hard to believe that the same people are responsible based on word structure and simple elimination due to the fact that the IP addresses that were cited in an earlier report have changed hands in the botnet wars on more than four separate occasions over the past year and one of the IP's is in direct control of a known China group that would be more suited to carry out this type of attack. This same IP also is hosting malware and has been listed as a compromised system 2 times in the past 2 months.

Truth be told nobody knows exactly who has committed this act and secondly it is nearly impossible without having access to the Internet Service Providers (ISP) core networks to analyze traffic. I say show me proof and I"ll believe that it was North Korea. There are too many ways for these guys to cover their tracks than to make a connection through one of the 1024 official IP addresses that are in use in North Korea. This information is also wrong as there are over 5000 IP addresses in our systems that lead to North Korean associate entities masked as news and public information sites (most of which are hosting propaganda on servers outside of North Korea). It stands to reason based on our intelligence that the North Korean Government is responsible for these systems directly as they do not allow outside entities to utilize communications systems and have played mock games with various releases of "malware" and viruses on these same systems infecting thousands of other entities. If they were in fact responsible they would do like every other hacker and use jump servers to mask their identity.

If you really want to see something interesting look at the 194.165.134.0/24 block  and look at connections going to and from the Internet via that IP block. Then you may be able to tell us something.


No comments:

Post a Comment