OSINT & Hermit Kingdom

[Music] [Applause] [Music] forward to next speaker we have very interesting talk i would say uh we have nick roy with us nick roy is actually working with splunk he's a security specialist and he is going to discuss today open source intelligence and the hermit kingdom leveraging online sources to learn more about the world's most secret nation so let's see what next tells about about the world's most secret nation so and yep again post your questions to discard if you have any tunic hand over trick to you all right thanks guys uh good morning everyone so my name is uh nick roy and my talk is ocean in the hermit kingdom learning more about the world's most secretive

uh so we'll jump right into it i know we have about 45 minutes so we'll we'll save some of the introduction slides for later uh but if you're not familiar with open source intelligence and what it is essentially it's data collected from publicly available sources that we're going to use in an intelligence context uh in our case it's going to refer to anything that's publicly accessible it's not related to any kind of open source software or collective intelligence uh there's certainly plenty of paid store you can use but today we're really just gonna be looking at what's free and what can be found from the comfort of sitting on our couch at home why is open source intelligence

important what can it be used for uh if we think about a couple of different perspectives red team uh when we start scanning an attack surface we want to start identifying uh various systems and services we want to look for any kind of leaked information credentials that we can find uh mission that employees might be posting on linkedin or other sites that that we may not want them posting uh some of that information blue team obviously we want to find all of that before someone else finds it uh we can use this in our our monitoring our learning we can use it for enriching our alerts our thread hunting so there's a lot of good ways that we

can use this data and we'll take a look at some of that today some of the various sources as well as some other uh kind of different sources that we we may not always think about asks what are some of the benefits of using open source intelligence it is less risky especially in in my case and if we're doing some research we're not going out and actively probing any of these systems uh really we're just relying on information that we can find publicly on the internet uh we're doing some clever google searches uh we're looking on social media uh it is pretty cost effective i i think i've been working on this for about three

four years now i've spent maybe a gr dollars so it is pretty easy to gather all this information and i am certainly not a lawyer in any way uh but essentially everything that we're looking for is is already available it's already published it's already online so it's really just a matter of finding this information and being able to interpret it so while that all sounds well and good there are some challenges that we run into as well one of the biggest problems i face all the time is just there is a a lot of data out there this was a great screenshot that i found some of the various sources that we can use there is a lot of data out there

and reliability is always a problem especially if it's things that are just published on the internet we want to try to validate our data as much as we can and one of the biggest challenges is um having to manually review a lot of this data especially in my case when i started working on this a couple of years ago i really didn't know what i was which makes it sort of challenging because i i really didn't know where things would lead me to so i spent a lot of time on on things that really just didn't have any value or really have anything good in there so there's a lot of time spent just reviewing this data to make sure that i

we're getting uh quality data and information that we can use

so why north korea a couple years ago it just started out um an interesting idea there's a uh it's called the vice guide to north korea it's on youtube and they looked at it from a perspective of kind of the day-to-day citizen uh they went on a tour of north korea and that was kind of what made me interested and someone said i wonder if there's anything online in north korea and i said i actually have no idea and it led me down this rabbit hole that four years later i get to talk about some of the things that i found um i've met some interesting people along the way as i've been doing this

uh but it really started out as kind of uh a couple of questions that's asked in uh three four years later a lot more information than i i ever thought i'd put together on something outside of uh maybe the sixth grade for some book reports

so let's uh let's get right into it when we start to think about open source intelligence and ways we can start to gather this data and what we want to start looking for the first thing that we want to start to do is we want to start to identify uh what are the systems and start to identify these various assets there's a couple of ways that we're going to start gathering this information we're going to use passive intelligence which is what we're going to focus uh most of our time on today but we can do things that are are semi-passive so maybe where i'm using something like the website built with where it's going to go and crawl a website and tell us

all the technologies and fun javascript libraries that are being used on a website where again we're not actually browsing to these sites and other services to gather this data for us and then we can do full-on active gathering this is what we're trying to avoid we don't want to be just running our nmap scan this is very loud this is very noisy we want to try to gather as much information as possible without ever actually probing any of these systems what do we want to find we want to start to identify any kind of internet facing systems uh what kind of software and thing on them can we find any kind of cloud systems that are associated with these domains

any kind of operating systems really starting to just build out a scope for what we want to identify and further investigate so the first question that i got asked a long time ago is north korea online anywhere uh this is actually a pretty easy question to answer there is a that covers the ip address range that's assigned to north korea uh they have four class c networks uh on this uh this subnet here so it's off to a good start pretty easy to find this uh there are a couple of other subnets that north korea is associated with in the last three four years i've talked to a couple other people about this also there's never really been any activity

there to really get a good idea of what it's being used for so in in our case we're just going to focus on these this slash 22 176 to 179 and see what we can find in there

now what do we do if we don't have a wikipedia article this is always the question of the day as much as wikipedia makes everything easier sometimes we have to start doing a little bit of research on our own to figure out exactly what's in scope so if we look at something like com you can use something as simple as the dig command this will tell us not only the ip addresses that are resolving but it gives us some other information here the as number and this is how we start to resolve uh ip addresses to the organization that owns them so i can see apple.com has an as number of 714. i can look that up online i can see the

almost 50 million ip addresses that apple owns and is responsible for

now we want to make sure that we are validating our data while wikipedia is a great source of information certainly there are people who have changed it to win bets so we can do the same thing we can run the dig command we can find the as number for that block of ip addresses in this case it's 131 two seven nine if we look that up online we can see that yes those four class c networks are assigned to north korea for their usage so now we have an idea of where we're starting uh we've sort of narrowed down our scope a little bit here from the entire internet to four class c networks uh the next thing we want to

start to do is we want to start to identify uh what kind of devices are available uh what kind of services are running out of those thousand and twenty four ip address how many of them are actually online so he started doing some google searching wanted to see how far back could i find this information is this something that anyone else has looked into uh and what i found was this was a website that someone had published back in november of 2010 they ran an nmap scan against north korea and they found that there were 13 servers online at the time there were a couple of web server server but there wasn't too much else

that was online at the time

so if we fast forward to today one of the things we also want to see is how if things changed over time this is just something that i'm always interested in knowing uh how many more servers have come online have they grown at certain points one of my favorite websites is github not only because i like using it for backing up all of my code there even real development purposes uh but the other thing you can do is you can find a lot of interesting things that people are committing to github uh whether that's on purpose or not um we'll talk more about github in a little bit some of the things you can find on

there but in my case i started searching github for north korea and i found that people are constantly scanning north korea and publishing their scans for anyone to view this makes my life easier now i don't have to ever run a scan information that we're looking for again if we start to look in some some other different sources we might be able to find a lot online and truthfully one of my favorite reasons uh there's always things that people are accidentally committing to github again we'll talk more about it in a little bit some of the other interesting things you can find on there but again when we start thinking about open source intelligence it doesn't always have to be just these

traditional threat feeds that we're used to thinking about different sites out there that we can use especially if they're making data publicly accessible that we can really search through and get creative with trying to find little pieces of information that we can use later on as we're doing more in-depth research

so we can look on github we can also look in some other places as well i'm sure everyone is familiar with uh website showdown if you're not it's an internet wide scanning site it's always constantly scanning the internet uh you can query this you can find devices you can find services running on here so we turn to showdown next we have our github results but again we want to remember we want to verify our data it is just posted online so we want to make sure that we can at least verify and validate this information starting point you can always find interesting things on here as well but in our case we can start to

reference this data against our nmap scans and we can use other internet wide scanning service as well census is another one that we can use they didn't have as many results as showdown but again it gives us another source of reference that we can use to start to get an idea for exactly how many of these iap addresses are live and start to focus down further on what we want to research so we'll we'll skip ahead we won't go through all of the results and talk about piecing everything together but back in november 2010 there were 12 servers online in the north korean ip address space today there's anywhere between 30 and 35 servers online at any given time

when i was putting this together 3 servers online it does fluctuate a little bit but it's typically anywhere between 30 and 35 servers up from the 13 back in november 2010.

so we've started to narrow this down a little bit we identified uh where we can start to look online we've started to identify what kind of devices are are active a little bit better of an idea of what exactly is on these devices so this is one of the only times we're going to actually go and start looking at some of these these devices one of my favorite things is just pulling up a web browser seeing what happens if i try to connect to them and in this instance we can see a couple of things here connecting on port 80 we have the ip address we know that this is an apache web server something interesting here if we look at

this typically we would see red hat centos some version of linux but in our case we see red star 4.0 here this is where we start to take a little bit of a detour on some other things but this is where we start to learn some more interesting things about uh really how these websites are built and running inside north korea uh so if you are not familiar with the red star op

operating system developed in north korea it's a fork of centos you can find it online it has been made available and there's a couple of things that some researchers have have found on there that are pretty interesting as they've started to dig into this more two of them in particular is this scn prc binary so this scanner if you create a file it'll start to scan every file that gets created and it's going to look for various strings in that text we can see some of them here if it matches anything in that file that file is automatically deleted there's also the opprc process that's running in the background uh what this is going to do is it

actually watermarks files on the operating system so if i if i share it with someone else they share it with someone else who also make changes you can establish a chain of custody for who made each change on that document and this works across a number of files and formats that get created uh when being created on the red star operating system uh so there are some great github repos uh these were one of the the researchers uh out of uh germany where they they published uh they published a lot of the scripts that they used uh some more information is available there and if you're not familiar with what the operating system looks like

uh this was version one of red star has that nice windows xp theme that i i think we all miss version two we move a little bit more into the kind of traditional linux interface this is where it takes a pretty radical change really looks like a mac os now the interesting thing was around this time is when we also started seeing in pictures they started seeing more mac desktops inside of north korea so starting to mimic that interface as well now we do know version four is available uh north korea publishes guides once a quarter about their economy and what their factories are producing uh there are art about it it is available to purchase inside the country

uh it has not made its way online yet but there is evidence that it does exist and it is something that is is being actively maintained now a lot of this is for the quote-unquote home version of the red star operating system there's also the server version of red star os and since the work done on the home version i really started digging into the server version more i do have this running at my house it's a lot of not as much on there as the the home version but there are a couple of tools on there and some interesting things that i found so far as i've started to dig into this uh there's three applications on there

beam and rss mod we'll take a look at some of those but those are used for the server se tools is a nice graphical interface for managing se linux yum is disabled by default on redstar server there was really no kind of evidence that i could find that they're using any of their own internal repos it's all just disabled on the operating system and one of the most interesting and frustrating things was that it runs as root but when you you're lacking certain privileges and that was one of the things that i i had to try to figure out right away was logged in as the root user but as i started just looking around the file system i

started getting a lot of permission tonight errors there were certain directories that i was locked out of so i was talking to a friend of mine and he told me that this is using uh it's called the bell the padula model of enforcement control and if familiar with this because i i certainly wasn't uh this is apparently really only used by the dod and essentially sets various permission levels so even though you're the root user you still may be denied access to certain files so this is where i was running into different pop-ups i was running into permission denied as i was starting to look at this more so we had to figure out a way what can

we turn back to google uh you start to google thing red star you get all sorts of good information uh but one of the things i noticed was uh there were some uh russian articles posted about red star and actually googled uh the red uh red star translation which is posted there uh i googled that that took me to a a couple of russian forums and i found that there were users posting all of the manuals online for the red star operating system it was a slow process i did take a lot of google translate but eventually i i got to the page where it shows exactly how to change your permissions on the operating

system how you can elevate to exactly what you need so at that point i was able to escalate and now i could start to really install i could start to look at some of the the files that were created on there interesting thing was as i've been slowly working my way through uh all four versions of these manuals they do have benchmarks published in there similar to things like the cis benchmarks and various hardening standards that you can use to harden your redstar server if you're deploying it in production so there seem to be very aware of not only what kind of services are running on there but being able to secure them as well before they're deployed

the internet

so now that i had uh access to everything finally now we can start to look at some of the the pearl scripts that were on there i could really start to dig into some of the files and see what was on here uh there's still a lot more to read through uh but some of the the messages were interesting uh there is some debate on uh dev random versus dev view random north korean developer these differences apparently we can see where they generate a random number twice uh they check to see if it is equal which i thought was interesting now some other things that are interesting on there they do have their own security built in

so we might all be familiar with something like fail to block where if i have someone who tries to log in over ssh a number of times and they're unsuccessful will automatically block their ip address north korea has built their own where they have their own block list that get created automatically after a certain amount of unsuccessful login attempts so there's still more to go through there there's a lot more scripts on there that i i've slowly been working my way through but the other thing that i could do now is i could also start to install and look through some of these other programs on here so this is looking at the the beam

program as it's called now so once i was hear that now i have my nice graphical interface here for managing my server uh and again i i thought this was pretty interesting all of my services that i would need to deploy uh no more command line instrument installation no more config files to deal with uh everything for the server is managed through this graphical interface that they've built on top of it so we can manage all of our users on here services network configuration everything is available through these these beam and these rss mon programs to make it easier to manage the red star deployments

so it was a little bit of a detour there but as we start to dig into it more there's certainly more detours to take but we've identified at least some of the the infrastructure we've gone from a couple of class classy networks we've identified what kind of devices are on there the other thing we want to do is we want to see if we can find any domains because now what i can do is once i've identified all of these domains i can start to look for maybe sub-domains that have forgot been forgotten those are also really good really easy ways to get some bounty points a lot of times we can find domains that maybe have been

forgotten domains that are pointing outside of those ipa addresses that we saw before now one of the things we we do know north korea uh this was about six years ago north korea has 28 websites registered to its domain their official top level domain is dot kp the reason we know this is at the time someone noticed that north korea was allowing global zone transfers on their dns they were able to enumerate all of the websites in north korea and at the time there were 28 websites on so since that day myself and a couple of other people have kept an eye on some of the websites using various services we're up to 33 different domains

this points to 31 individual websites there's a couple of domains that are shared pointing to the same website but again we want to identify as many as we can because we want to start to see what else is this pointing to maybe there's a certain ip range that that we just don't know about uh maybe there's cloud services that this is resolving to so we're going to start to use uh various passive dns services where they're recording all of the dns queries and responses we can start to look at who is data but we can start to map these domains back to infrastructure as well start to round out this picture that we're building i don't know i don't have a picture of

this but the screenshot on the right is from the air coryo website this is north korea's state airline if you look uh in non-coveted times when they they have their flights running every flight is always on time this is another one we can easily verify if we look at something like flight radar on this day i think a couple of these flights were actually delayed about four or five hours but everything on their website always shows on time and perfect but again we want to make sure we validate our data as we're finding it across our various sources

uh so we have a good starting point but what if we don't have this available if we don't have that nice wikipedia article telling us where to start looking again we can start with just some of the basic information uh again example i can run my whois look up i can start to do my reverse dns lookups to see what kind of domains are registered i think last time i checked apple has something like 16 000 domains that it registers but there are ways where we can start to use just some basic searches to see what kind of information is available a lot of domains are registered with these various privacy services now which does make this a

little bit challenging but this is where we can also start to use things like best data there are services out there that are recording all of these dns requests and responses so we can query this again to start to find these domains how they're mapping back to this infrastructure to start to build out this picture of how many domains are online for a given organization

we can also get a little bit more creative with this uh one of the things that we've started seeing come online recently is websites in north korea using https and a lot of times in the certificates there's a lot of good metadata in there that we can use and search one of the things we can do is we can look at the hash of that certificate and we can actually search that using these internet scanning sites like census to see is this certificate being reused anywhere else so another way where we can uh some additional information gathering again in this case when i started doing this they only had one website with https so there wasn't too much i could find

but it is something that uh started watching more as they are moving over to https for their websites uh to see how these certificates are being generated we can see a lot of this is self-signed uh according to their various internal infrastructure uh but again it gives us a good way to get a little bit better an idea of uh what kind of sites are online are these certificates being reused anywhere and then about a year ago uh one of the websites that came online is dprkportal.kp i'm always personally convinced that this website was put online just because this is a direct free that essentially lists all the websites in north korea uh so it's made my life a lot easier

like any kind of new sites uh but i'm also convinced that this was put online just to frustrate myself and a couple of other people that i talked to about this when we were watching all this traffic for years and years now it's much easier to just go here and see if there's anything new online now so the last part of this so we found our our servers we found our domains what else can we find we want to start again this is where we can start to use these various internet scanning sites uh one of the things we'll start to see to look at some of this north korean infrastructure a lot of the websites are already on red

star any of the actual infrastructure like dns mail servers ntp servers these are actually running on either red hat or sent to us you can see that in the banners that are being grabbed here but we can also find some other interesting things uh one day this popped up and i believe this was on census there's a vmware server online for a little bit there's a cisco device online which i believe this is still currently there and again we want to make sure that we are validating our data so i can look across other internet scanning sites i can verify that it is the same response the same data being returned sure that we are to the best of our

ability validating our data data as much as we possibly can

so the grand total at the time when i put this all together there were five web servers a couple of dns servers mail servers vnc server there's about 20 services running on port 8080 i'm still not sure what those are to this day it's it's still big and it's broken out across a number of linux servers red hat red star there's always a couple of windows servers on there typically running iis with just the default pages in place always that cisco device always seems to be online somewhere as well

and again why is it important to identify these services these are things that i want to know before someone else finds them uh again some of these uh if i start to look them up uh in the versions being returned we can start to see that there are some possible vulnerabilities here again it could just be something that was changed for the banner but these are things that i want to know before someone outside my organization finds these and potentially exploits these so we spent a lot of time talking ab korea's actual infrastructure and some different ways we can identify that the other thing that i wanted to start to look at as well is can we find

any evidence of north korea actually browsing on the internet as well um and the reason for this is there's essentially two versions of the internet in north korea uh there is a intranet which is what most people have access to it's really just for inside the country only and then there is a official internet link but this is for uh party elites essentially i only have an access to the outside internet this is a picture that i found on flickr from someone's tour of north korea this was in a computer center where they have a list of all of the sites on the intranet published on the right hand side there and it is varying how many sites there

are i've heard as little as 20 or 30 all the way up to two or three thousand internally that's pretty hard but there are a couple of interesting ones that i've come across these are things that don't resolve for me but just digging into it a little bit more and asking around there are some different domains that i've been able to find especially for things that are used inside of hotels or kind of the social networking service that they have available and this was another screenshot that was published as well for some of the various uh bits and apps that are used on the intranet as well

uh but really what started this was about six years ago uh maybe it's a little more now that this was published uh steam the gaming service published a a map of where everyone in the world was connecting from uh and i circled it there it might be a little bit difficult to see but one of the things that really interested me was there was one dot coming out of north korea um so i wanted to see can i find again using some various uh google searches or google doors if we want to call them just basic searches that i can do searching for various ip addresses in this case i was looking for any type

of logs that google has indexed this was on a russian oil website where i found a north korean ip address that was browsing it pastebin another great site to search leaked credentials i want to know about this was a leak from a minecraft server where we can find a username in north korea and then we start to look at some of the other sources as well things that we may not always consider so this is where if we look at something like uh wikipedia for example see that there are changes made by an ip address in north korea for various articles since if we don't have a an actual account it logs the ip address

there are a number of changes made across various articles and again we can start to look at other sources this is a website called i know what you download it's essentially scanning all of the trackers for various torrent websites you can query this you can search this based off of your own ip address based off of movies countries a lot of interesting information in there i wrote a script that queried this for all of the north korean ipa addresses that were torrenting these were the ones that were returned learned about popular movies that they're downloading sporting events is a popular one being torrented but i thought this was interesting as well uh these were all of the

device drivers for uh we can see cameras in there graphics cards that's uh various devices that were being taunted for these these drivers

so we can start to find some activity of north korea online we can take a look at their infrastructure social media is always another popular one this was an article about two years ago that came out that linkedin is the social media careers elite i still have not gotten a friend request on there but there's a lot of things you can find on there uh very easily with some hashtags that i never thought would work this was searching instagram for hashtag visitor badge you found all sorts of information that i had to blur out for doing this names contact information all sorts of information that you can find new job is another one that gets a little uh has

information that people are posting online uh but what can we find out about north korea from social media and from some of these other sources uh this is from a tour group in north korea mini kegs are being released soon by the official north korean brewery this is a pamphlet that they give you when you check into the hotel how to cope with potential disaster this is one of the guided tour what's called the palace of the sun uh this is interesting because when you're on the tour uh you're not allowed to take any pictures in there uh but we can see on instagram this is actually tagged on the map specifically as a location uh very easy to find all

the pictures that people have been sneaking in there as well and posting online and we talked about the red star operating system well it does seem to be used for a lot of their websites that are deployed as far as day-to-day usage it doesn't seem to be that popular a lot of the pictures that i've seen based off of what's been published across again people's tour groups and pictures released by north korea across some of their social media presence everything appears to be windows xp it seems to be very active and alive there as far as the red star home version doesn't seem to really be in use too much outside of just some of the colleges and

and again we always want to make sure we're validating our data as much as possible this was a a picture that was published by the north korea state media on one of the websites it always looks a little too perfect the weather everything looks a little too uniform again these are pictures that we can verify there's websites like photo forensics that will look at the various layers of an image and start to when they've been modified you can do this with a lot of images that you find but it's a great way where not only will it let you look at all of the metadata of a file uh but it also quickly highlight things that

might be a little bit suspect and uh in our case where we we start to see a little bit too much uniformity uh start to confirm some of those suspicions for us

and then we can also start some outside sources as well things that we may not consider strava if you're not familiar with it is a uh a fitness band similar to a fitbit or uh something like an apple watch and one of the things they do is if you opt into it they'll publish your anonymous data of where you've been the idea being that it's going to help other people find hiking trails and bike paths but i heard and thought i wonder what i can find for if i look at north korea we thought there's probably not going to be anything there but we can start to see if we zoom in we can start to see various roads that

are being highlighted that people have been traveling a lot of this appears to be tour groups as they are going to north korea but if we zoom in even further we can really get a good idea of some of these buildings that they're going in we can probably get a good idea of exactly what these tour groups are doing the routes that they're taking problem also for some military bases where people were wearing these this information was being published online as well so again if we start to look at some other sources that we may not consider there is a lot of interesting information that we can find out there one of the things i also found i noticed

up north there were a couple of very faint purple lines here and i was curious to know what this was so i took those coordinates and i put it into google maps it's a ski resort now the interesting thing about this at least to me was north korea does have a ski resort uh might have actually seen pictures of it it's been featured in a lot of places but this is not the ski resort this is something completely different on the strava map i've never actually seen pictures of it before but again it gives one more thing that i can start to look into further and see what else we can find based off of some of this data that's online

now a couple of other things as we start to wrap this up sili vaccine this came out a couple of years ago some research that checkpoint did with uh a reporter martin williams who does some great work this is a essentially an antivirus that runs on north korean computers but if you start to again look up in github now the shadow brokers leak a couple of years ago when they leaked all of those hacking tools one of the things we find in there when we start to look up the silver vaccine uh we can see that in these tools that are leaked uh where they're scanning an endpoint to see if there's any kind of

antivirus or edr running one of the things that they are checking for is actually this silly vaccine program so it is something that is uh well known apparently it is something that people are and this was something that i thought was pretty interesting to find and then one of the last things as we do start to look in unusual places one of the other hobbies i have is looking through all of the html for these websites sometimes i don't have the most interesting things to do during the day or at night but i can start to see one of the things here there's some various font families specified i had never heard of these before

a little bit more research i found out that these were fonts developed inside of north korea so they started searching those fonts a little bit more than names they've actually come up on a couple of sandboxes where you can submit services or files to to detect if they're malicious this was one in particular i i thought the comment was really great no idea what it is i found it on my laptop certainly this doesn't provide any attribution to a north korea but i thought it was interesting looking at some of those font names and some of the results that were being returned as well uh something that i had never really considered and still i

i saw that and started looking into it more uh so i know we're we're almost at time here there's all sorts of fun things we can find online uh one of the things that i always like recommending osintframework.com it's a great website i follow this all the time when i'm not sure where to go the resources uh and it's a nice tree structure that you can expand and collapse as you want to start doing investigations uh makes it easy to find all sorts of resources and i have my my own website nkinternet.wordpress.com that i've been publishing things on for the last number of years uh so if you are interested in anything i have probably three four years worth

of material published on there that doesn't fit in here all the time but always try to keep it up to possible and uh that's about it thanks uh thanks everyone thank you nick that was really good