BG - Operation So-seki: You Are a Threat Actor. As Yet You Have No Name.

hello everyone uh did you all enjoy the happy hour yeah ah yeah uh our presentation is just around the corner so we are too nervous to enjoy the happy hour uh once the presentation is over we want to enjoy plenty of the beer as other parties so now let's move on to the our presentation and our talk is about operation soci key uh it is a summary of research and activities uh against the activist group uh we hope that the presentation will contribute uh in anywhere to the peze Las Vegas Community uh first of all I introduce today's speakers uh first my name is the I'm a mar analyst as NF laborator is in Japan uh I usually research AP groups in

E Asia uh next he is kaii samish Shima uh he's a threat intelligence Analyst at n Communications uh which is one of the biggest telecommunication company in Japan uh for This research he has been working on SNS research and the peak data analysis uh finally he's uh atushi Kanda uh he also works thre intelligence analyst and at entity Communications uh he is an excent engineering this manager and he is a specialist of the security and network field uh for This research we developed uh our analysis system and the read the entire our operation uh we all belong to the threat intelligence team uh n for SE uh now sex team in Japanese at n Communications and

uh we work to protect Japan and NT Communications uh from cyber attacks okay before we start our presentation there are a few important things uh I like everyone to keep in mind uh our main topic is activist uh activist want their names and ideologies to be known to the public so please don't write St up name on public space like SNS uh if they know they're being focused on they maybe targets you or your country or your company uh to attract more more attention uh in addition some of the technical details are not describe in this presentation because they may watch this YouTube live uh and uh they change easily the ttps uh if you want to know the

technical details uh for example how to extract the decryption key from the infrastructure uh please contact us after the presentation uh we will provide the details on the useful script for research uh this is our presentation agenda uh first we will introduce overview of what is Operation s key and uh activist group profile next uh we will uh explain how to track their activities and infrastructures and after that we'll present the analysis of data uh it is exfiltrated from the infrastructure over year and finally we summarize the insights uh we gain from our activities against activist group all right so let's dive into our research uh to start IID like to ask question uh do you know

him H in this room some people know him so he is a No Name 057 and I think many of researchers already know about him because he's a prian activist group group and uh they have been executing uh D attacks around the world uh during observations uh critical infrastructures in numerous countries have been targeted and uh attacked by them uh in our country Japan is uh there tax have also damaged and many companies and governments and organizations uh since February of this year they have been attacks Japan many times uh citing uh opposition to Russia as a reason so we began tracking the attacks in February of the last year so operation SOI is our activities

and approach uh against activist group and no name z57 the name sers inspired by the famous Japanese author uh this image uh he's uh so who well known book uh I am a cat start with the line I am a cat as yet I have no name uh which is similar to the name so we select using the this name SOI to research then we joined their underground community and analyze their to and infrastructur and uh continuously Maring their Leos attacks and internet operations for for our year as K is we will provide these three points first is a method for analyzing and tracking the Leos infrastructures second is a long time data analysis of DS attacks from mar mar

perspectives thir is the Insight on how we should respond to activist based on experience with operation soci key so next uh before we talk about the details of our operation we will introduce the profile of the activist and their communes uh once again we introduce no name uh he's a pran activist group who has been active since March 2022 the ideology behind the activities that claiming legitimacy regarding Russia's invasion of Ukraine and uh criticizing those po anti Russia uh such as NATO and the uh collaborating Ukraine they have executed the attacks against the countries and the world and the their opposite to the Russia to spread their ideologies uh unlike other activist uh they use volunteers for the DS

operations and they operate the telegram communities and the it is a base of their operations they get the volunteers in telegram community and uh distribute custom do uh it is called dare and encourage volunteers to join their activities and to spread idies uh this diagram show the there telegram Community uh there are four major communities uh first one most most famous public channel is uh no name 0576 uh it is a public leaders Channel and uh which reports of successful Leos attacks and the news about Russia it is posted every day the number subscribers increase with each report of their activities and there are about 72 subscribers now next uh Doria project and left side

on the new cryon dsia channels uh dsia is a their original Tool uh they develop to automate DS attacks uh these two channels are private channels which are underground communities for people people who want to volunteer for DS attacks uh in the Doos sh project uh illegal activities take place such as uh discussing uh attack targets and distributing uh Distributing paid bpn and T accounts previously d t also distributed here the project but now volunteer the screen and only those who pass the interview process and uh they are guided to the new cryan D channel right side the new cryan DHA channel is a new community established uh in March of this year uh the community is still very

small uh it is about 300 subscribers uh in the inter the uh in the interview to join the Channel people asked about affiliations and ideology and they cannot join the community unless uh they recognized as likeminded approved Volunteers in this channel will be able to download D share and use the tool and execute D attacks and the dhip project distributor man along with the to uh it's explain how to use it in it described that decoin uh it is uh can be converted cryptocoin will be given as a reward according to the number of DS attack collaborations and it also explains the upset uh such as uh using bpn uh so it is shows that

uh manual cover more than just basic usage in particular they have decently issued a COR for up SEC and announcements uh in last month following the arest of their Volunteers in Spain they have included measures to improve offc uh such as a using PPN has a kwi option or separating personal use of telegram account and so on so it is expected that the making arrest will become difficult in the future and finally they also manage a bot called uh DHA bot uh which allows volunteers to automatically handle deers and rankings uh the community has a ranking system uh based on the number of successful Doos attacks uh it makes volunteers to enjoy those attacks uh as

if they're playing game so this is a sumary side of this section and uh no name is a PR activist group uh based in Telegram and they include like my volunteers in tegram and distribut those called D and they maintain their DS infrastructure by providing various motivations to their volunteers uh in other words by joining the community and analyzing the Doos here uh we could monitor the Dos activities so the first step in tracking them is to analyze the she and find out its control mechanism so from here we'll provide a detailed analysis of the leadership tool and their infrastructure uh to track their activities uh it's just as operation society and first let me clarify the

motivation behind the analyzing dare uh the primary goal is to make the D share Target this accessible uh by doing this we can take proactive measures for current targets and those who might be attacked in the future uh another goal is identify the fingerprint of their infrastructures uh with this uh it could execute to take down operation against them in the future uh to AR uh to uh to achieve these goals we must be statically analysist and dsia to reveal data structure and communication ALG uh this is a overview of theier uh D is a Marge platform enabl do to uh build gold luggage and distributed to bronti uh the the tool is provided as a set for

various operations system uh like the image uh and various operating systems and CPU architectures uh just executes the r for your platform it the do attacks on machine the executable file separated to Russian and non Russian us but uh there's a det reference in their behavior so we don't go into details uh this is the update timeline for leosia it has been very active it's continuously update uh since we start our observations uh then we provide a demo of D doia this time we will use uh Windows x64 executable F on my machine other one will work just as well

so at R time uh specify the IP address of the current feat server for dsia with high P arguments and when executed D receive a command from sh server and including a d Target L now after a while D sh return feedback on the number of successful those attacks next in the background uh you can see that large number of communications uh are being sent to the background my Tami server so it easy to execute the do

attacks so next uh let's analyze the internal of Theos here the figure show the result of the analysis of D Behavior Uh the behavior is very simple uh dp3 the step one to step five this image at Step One D sh send the request to the client Ling pass of the shet server to join as a botonet uh if the loging successful a unique time stamp will be returned as a response from C2 server as step two and after successful ring to request list of R Target list the client get Target plus uh is a step three and finally the encrypted to Target this is sent to the D here which decrypt it on memory and

starts the TOs attack it's a step four so to summarize uh if we can emulate the communication step one and step three and decrypt the responsible step four and we will have achieve our primary goal to emulate the communications uh it is necessary to analyze the data structure and encryption method uh this SL shows a example processing data uh all Communications are encrypted using as 256 uh GCM mode with the data necessary for decryption is uh concatenated as a DAT hat uh it is as I and the tail it is a GCM TP in the data and this encrypted data is um encoded to the base 64 and converted to the Json format uh like this uh which is

a basic data format for communication with C server for theier so now we understand the communication algorithm and the data structure with the shet server so we can decrypt the command and control uh in step four so we try to decrypt it with a shle p script it was be a to it was able to extract the those Target R so we have achieved our primary goal uh however we have one issue uh since the beginning of this year they have started uh changing their infrastructure at very short intervals uh it every few days so to continuously track then we need to find their new infrastructure within the interior Internet space in few days as a

fingerprint of the infrastructure uh we can apply unique time stamp response in step two uh however it is Impractical to send post request to entire Internet space within few days so we have to adjust our approach to complete the discovery within a realistic time frame so we decide to use a more faster internet scanner M scan uh to deuse the number of scans uh by using M scan to first uh identify on the HTTP server and we can reduce the number of HTTP server post stands from billion order to around the 10 million order uh finally we execute scan only HP server and emulating the D share B connection uh to find their fingerprints then we discover

new infrastructure and get the D Target this withing a day so as a result we are now able to continuously track the in structures and DS Target L uh this is a this is a demo on how to get uh the tar list first we prepare this HTTP servers uh created with mass scan and uh with them perform scans on the list uh imaing the D B connection uh okay uh now we can see that uh IP address uh starting uh 100 93 it has a fingerprint or D do here next so we emate the communications uh to get the this target this for the this IP address H okay l success and the data is

displayed is uh theyed Le Target l so we can get the the target R from their sheet their infrastructure now that the proof of concept or proof of pro concept is completed so we automated this task we we use the apach airl is the backend and we get the target to be tour and uh next is Art F and Theory information and next is store the process data in GitHub uh this process is carried out regularly and any changes uh notified be struck like

that uh with this uh we can keep Cor in D Target this and track their move their activities so next way kaii will K will talk the result of detailed data

analysis okay this is about the target list we are acquiring for each file it contains about about 350 pieces of Target information and among them the number of unique cost is about 10 to 50 the target race includes the Target and its attack method for the Target domains IPS ports URL passs Etc are specified it also supports sud randomization using templates for the attack me we have confirmed DS attack methods of layer 7 and layer 4 such as slow Ries and TCP in fraud the format of this target list is occasionally changed it was confirmed that the format of the target list has changed in conjunction with the times when the D do she protocol was changed in April and

November the d s capabilities are also being updated and new features are being added as needed it was also found that major changes are linked to the timing of updated to the DHA infrastructure next we will discuss the transition and Analysis of DS activities we have corrected and analyzed post from the public telegram Channel as for the content of the posts there are posts that call out to comate at the beginning of the day's activities we call these start of work notifications on the contrary at the end of the day's activities they also they also post new summaries we call this end of work notifications also the most common type of post is promoting the success of

dosia Dos attacks this dos post of includes checkhost links to the Target site and images of a browser showing that it can longer connect to the Target site other post include reacting when there activities and features of social media or blogs also the figure on the light represent the time zone when many posts are made assuming that this actor is active in Moscow time UTC plus three post on telegram are concentrated from around 10 a.m. to around 900 p.m. and it is clear that they are active at a clearly Define time next we have visualized the timeline L of telegram posts over a long period of time the top row represent the number of post the middle low is a scatter Pro of

the minutes of post time the bottom low is a heat map of the days attack for the top 10 countries that are frequently targeted at the grounds that Trends B Trends vary depending on the time period you can see that the trend mainly changes at the beginning of the month every few months from the next slide let's take a look at each first if you look at the timeline of the number of post in the up section you can see that the number of post varies depending on time period also if you look at the part of the 2023 is the L part if you look at the area on the left there were many post promoting the

success of Doos attacks in Orange but if you look at the light side you can clearly see that the orange has decreased so have DOS attacks decreased that's not the case and in fact it's known to be on the light if you actually look at the content of the post at the left side they were doing it in the St of one po per Target but at the right side they Chang to make one post for multiple targets also if we look closly you can see that the bear in the picture has changed from a realistic bear to a deformed bear and from such things you can confirm the change in format next let's talk about the posting time

the partical axis represent mines posted from 0 to 60 the green triangle represent the start of work notifications initially when the start work notifications began they were posted at various times and minutes however from a certain point in time the trend changed to concentrate post from0 to 1 minute each day also it is now known that the start of work notifications have been AED next let's look at the D success post the orange inverted triangles represent the post promoting success of D attacks initially posts were made at various times and minutes after that also not as much as the start of work notifications it can be seen that posted started to concentrate at times like 0

to 1 minutes and from 30 to 31 minutes and then eventually it return to posting at various times in this way it was confirmed that the posting are changed depending on the period finally let's discuss the target countries in the lowest section we are displaying the top 10 countries tldd that are frequently targeted looking at the style of Target country selection no name has a tendency to set the main target country at the beginning of the week and from there they have been attacking while switching this switching the target countries every week however about September 2023 this trend has also changed and they have started to attack by switching the target countries on a daily basis not on a weekly

basis recently there is also a trend to continue targeting the same countries again for several days in this way there were changes in the in the operation depending on the period even if even in terms of the St of Target country section through this analysis we have the following SS about no namous activities the fact that they have a fixed activity time center around 10:00 a.m. to 9:00 p.m. and that they make a scheduled post every day suggest that the tegram operator is not just operating as a hobby but is operating in a businesslike manner also the fact that the operation policy is legally changed every few months and that the trend switches sharply at the beginning of the month

suggests that this is an organized activity furthermore the maintenance of an infrastructure capable of handling large scale request for over two years and the fact that they have substantial source of funds that allows them to continuously provide rewards to more than 500 supported suggest that they may be sponsors who are funding no names activities in background we are able to obtain Target information from both telegram post and the target list and using this we have calculated metrics such as the attack success late the attack success rate is calculated as the number of reports on telegram divide divided by the number of Targets in the Target raised the trend from November 2023 to December is shown in the figure on the

right in this figure the top low represent the number of targets included in the Target list and the bottom low repres present the transition of the attack success rate looking at the number of targets around November and December there were about 20 targets per day and sometimes there were more than 30 targets the attack success rate varies greatly from day to day it is less than 20% at its lowest and less than 90% at its highest We compare this with the time around February 2023 when Japan was targeted at that time the number of targets was around 13 and the attack success rate was less than 60% focusing on the number of targets we can see that no names activities has

become more active with a number of targets now about twice as many as February 2023 looking at the ATT success rate there are many sites where the attack hasn't been successful of course if the attack is not successful it cannot be promoted on telegram so the targets visible on telegram are just the tip of the iceberg we also got the impression that attacks on CGM often fail however there are cases where region is directly targeted so regions defends remains important also Target that was successfully attack tended to be targeted repeatedly in fact when calculating the proportion of targets that were successful in the past among the targets included in the Target r on average about 75% were targets that

have been successful in the past from such a situation it can be said that it is important for the defense side not to be rested on the attack success list and how to defend against a fast attack next we will move at she parts so let's move on to the next section in this part we will share the lessons we have learned about information sharing through mod year of dealing with this activists we have often encountered situations where the sharing or spreading of threat intelligence has led to negative impact for example the disclosure of tdps can lead to changes in tdps or the victim's information can re reinforce the attacker sense of success and be

used for further propaganda and this is a timeline of major events regarding attackers reaction to the disclosure of ddps as you can see they appear to be particularly sensitive to the disclosure about their D mechanisms or their Doos infrastructures especially we've observed several times where they switch C2 servers or change the C2 protocols within a week or two weeks of the publications of detailed report from cyber security companies of course these companies are doing great jobs and sharing bunch of insightful intelligence and it might be a coincidence that the publications of reports and the changes in tdps happens around the same time but but giv an example of aest where these activists attack Avest shortly after they

published the report about the details of this activist C2 infrastructures it can be said that at least this actor has a significant interest in the disclosure of their internal details the next example is about the reinforcement of propaganda those who have seen their post on X or telegram will understand that they often sight the damage information or news about the victims they have attacked to strengthen their claims as we mentioned in the past section this actor frequently targets organizations they have successfully attacked before so it means spreading such victim news will reinforce their sense of success and as a result it will pose a risk of attracting further attacks in the future here we would like to Reit re

revisit what a hactivist is a hactivist is someone who uses hacking techniques to promote political or social changes their ultimate goal is influence public opinion by making their claims widely known so datas is just one of the means of attracting public interest and they're concerned about how well their message is reaching the world in other words they want to make them and their activities more known from this P perspective activist and public disclosure of the threat intelligence are potentially incompatible so what we have done in operation sski is that we have delivered information as secretly as possible in a timely and effective manner for example we directly contact the targeted organization to provide specific information about exactly where they

have been targeted what we have learned from this action is from the Viewpoint of the targeted organizations Early Access to datas Target informations has benefits more than simply being able to begin a timely instant response one benefit is that it clearly identifies the cause of system overload generally it is is difficult to distinguish between a sudden increase of benign traffic and a DS attack however having attack information can save cost of such investigation another benefit is from understanding the scope of the impacts knowing which websites are being targeted also means knowing which websites are not this allows us to efficient allocator resources to handle the issu and yes sharing information individually is time consuming and cost

consuming so we also utilize nonprofit organizations like ISAC to distribute our information to summarize this section what we have learned in dealing with activist is that we need to consider information sharing tailor to the nature of threat actors this means thinking about the balance of cost and benefits for both attackers and Defenders if sharing certain informations helps us prevent future attacks or reduce the damage of an attack it might be worthless to spread such information but naturally if the Defenders do not gain more benefits than the attackers the information information sharing will be a failure therefore we must always ensure that our strategies provide a net benefit to our defense efforts the same applies to the

secondary information sharing when dealing with activists the careless dissemination of informations benefits it attackers modern Defenders we need to pay close attention to what our action bring about so we quickly summarize our presentations in our presentations we discussed the Prussian activist I don't want to name here as they might watching this live streaming but you know who the key takeaways are the techniques for tracking and analyzing the DS infrastructures and the longterm multiperspective study of the dto sector and also the lesson learned from confronting activists and lastly and again please we want you to be sure not spread publicly any informations linking us or our presentations to the actor's real name as they might irritate

them and that's all thank thank all for your time and attention today and we would like to thank besid for giving us such a wonderful opportunity and we'll be glad if you final presentations in cyle and your comments and feedbacks are always welcome so enjoy your night at Las Vegas but be careful don't drink too much including us thank you very much [Applause]