Research

Investigation of North Korea-Linked Indicators of Compromise (IOCs)

Executive Summary

  • On February 9, CISA published a #StopRansomware alert regarding ransomware attacks against healthcare and public health organizations they attribute to threat actors acting on behalf of the North Korean state.
  • The SecurityScorecard Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team consulted internal and external data sources to enrich the indicators of compromise (IoCs) in the alert.
  • Researchers leveraged SecurityScorecard’s exclusive access to network flow (netflow) data to sample two months of traffic involving the IP addresses contained in the alert.
    • Based on the available traffic data, researchers assess with low confidence that this activity has targeted higher education institutions.
    • Other explanations for their appearance in the traffic sample are also plausible. Still, given the role of educational institutions in medical and public health research, the traffic data could reflect the targeting discussed in the warning.
  • Researchers leveraged a publicly available blockchain explorer and a bitcoin abuse database to identify bitcoin wallet addresses to which the wallet addresses specified in the alert transmitted funds and which may be involved in laundering the proceeds of ransomware attacks or otherwise linked to the threat actors.

Background

On February 9, CISA and a collection of U.S. and South Korean partner agencies published a #StopRansomware alert regarding ransomware attacks against healthcare and public health organizations. The authoring agencies attribute these attacks to state-sponsored threat actors operating on behalf of the Democratic People’s Republic of Korea (DPRK). The agencies assess that their revenue supports other activities conducted to further the DPRK’s geostrategic priorities. This includes cyber activity targeting US and RoK government agencies and the defense industrial base.

The alert provided indicators of compromise (IoCs), including threat IP addresses that hosted websites threat actors used to distribute malware and bitcoin wallet addresses linked to previous malicious cyber activity attributed to DPRK-backed threat actors. STRIKE Team researchers consulted SecurityScorecard data sources and publicly available information to enrich the indicators of compromise (IoCs) in the alert.

Methodology

Researchers first collected a two-month sample of traffic involving the two IP addresses provided in the alert, 115.68.95[.]128 and 119.205.197[.]111. To identify possible targets of the campaign, researchers searched for the IP addresses in public sources of ownership data to determine the organizations that own the IP addresses with which the ransomware-linked IP addresses communicated.

Then, in the case of IP addresses belonging to service providers other organizations may use, researchers queried SecurityScorecard’s Attack Surface Intelligence (ASI) tool to identify the organizations to which SecurityScorecard has attributed the IP addresses, as those organizations are also possible targets of the activity.

Finally, STRIKE Team researchers searched the Bitcoin wallet addresses provided in the warning in a publicly available Blockchain explorer. They first identified the transactions involving the listed addresses. Then they focused on those that sent outgoing payments. Finally, they identified the other wallet addresses involved.

Researchers sought to identify other possibly DPRK-linked bitcoin wallet addresses by identifying possible instances of common spend. Common spend (or co-spending) is using multiple addresses to complete a single payment. Co-spending often indicates that the same actors control the addresses making the payment. In this case, that would suggest they are also involved with DPRK-linked cyber activity.

Researchers then sought to identify the recipients of payments from the wallet addresses contained in the alert. Payments from the listed addresses could represent transfers of ransoms from an attacker-controlled wallet to one involved in laundering the proceeds of ransomware or other malicious cyber activity.

Alternatively, the DPRK-linked addresses could be transferring funds as payment for goods and services supporting their activity. The recipients in these transactions also, therefore, merit attention.

Having identified these recipients, researchers sought to identify destinations to which they may have sent the payments received from the addresses in the alert, as these could also be involved in money laundering and then searched the recipient addresses in a public database used to identify bitcoin wallet addresses involved in malicious activity.

Findings: NetFlow

Throughout the two-month observation period, 891 unique IP addresses communicated with the two IP addresses appearing in the alert. Most of these (866 of 891) belonged to search engines, hosting providers, and telecommunications companies. Therefore, the traffic involving them was either likely irrelevant to the activity discussed in the warning or unlikely to offer additional insights regarding it.

For example, the search engines’ IP addresses could represent the operation of web crawlers. When they consulted SecurityScorecard’s attribution data for more information regarding the telecommunications companies’ IP addresses, researchers could not identify what specific customers (if any) use them. However, of the remaining twenty-five, a majority (eighteen) belong to a university or regional education and research networks. SecurityScorecard attributes two others to organizations in the healthcare sector.

attributed 4 domains healthcare

Images 1-2: In addition to those IP addresses belonging to educational institutions, SecurityScorecard attributes two others to healthcare organizations, as reflected in our Attack Surface Intelligence tool.

Findings: Bitcoin Transaction Analysis

Of the bitcoin wallet addresses contained in the CISA alert, six (discussed at greater length below) have participated in transactions that researchers could investigate further.

  • 1FX4W9rrG4F3Uc7gJ18GCwGab8XuW8Ajy2 transferred funds to more than 1,300 other wallet addresses; few of these have notable transaction histories or have been named in public reports linking them to malicious activity. Researchers have therefore omitted them from this report for brevity, but the full list is available upon request.
    • However, contributors to a publicly available database of bitcoin wallet addresses involved in malicious activity have identified one recipient address, 1NDyJtNTjmwk5xPNhjgAMu4HDHigtobu1s, as belonging to a cryptocurrency exchange that has processed the proceeds of allegedly fraudulent and terroristic activity. Transfers to this address from a ransomware-linked wallet address likely represent attempts to launder the proceeds of ransomware attacks.
  • 1J8spy62o7z2AjQxoUpiCGnBh5cRWKVWJC sent 0.00036192BTC to bc1qqssvcxfhr5apt8xmaqau059hwa6jqerltg6fez and 0.21172347BTC to 126JwZtwEPRuQgcPZqVPSuN1XBPUyMxjho on June  24, 2021, and sent 0.00064181 BTC to 16ENLdHbnmDcEV8iqN4vuyZHa7sSdYRh76 (another address listed in the alert) and 1.66272026 BTC to 13xd8iEAhZh2vyWpfCknxuGNT6nm6veVkB on 5/12/21
    • After receiving the above payment, 126JwZtwEPRuQgcPZqVPSuN1XBPUyMxjho sent an amount of bitcoin roughly equal to what it received in it to two additional addresses, bc1qm34lsc65zpw79lxes69zkqmk6ee3ewf0j77s3h and 1NDyJtNTjmwk5xPNhjgAMu4HDHigtobu1s.
      • 1NDyJtNTjmwk5xPNhjgAMu4HDHigtobu1s is the same recipient address as previously discussed. Like that one, contributors to the same database have identified bc1qm34lsc65zpw79lxes69zkqmk6ee3ewf0j77s3h as belonging to a cryptocurrency exchange that has processed the proceeds of allegedly fraudulent and terroristic activity. Transfers to these addresses from the recipient of payments from a ransomware-linked wallet address likely represent attempts to launder the proceeds of ransomware attacks.
  • Bc1q3wzxvu8yhs8h7mlkmf7277wyklkah9k4sm9anu sent approximately 2.5 btc to bc1qhjnxutw0qvah8rea430ark2df2fcxm5xlfy52r on March 30, 2022.
    • Bc1qhjnxutw0qvah8rea430ark2df2fcxm5xlfy52r then made a series of transfers totaling the amount it received from bc1q3wzxvu8yhs8h7mlkmf7277wyklkah9k4sm9an to bc1qnnax4tz4ejtu2klzhu4hlr3tpgxkqnrla3zcgj on April 1, bc1q6uyfmjgy66afyz24q0e2v5d7pe2w6d7f7q052z on April 8, and bc1qppzvg9vxscq84wrwel3kea8pfaswlwmvm66txq on April 22.
      • While none of these has been named in public reports linking them to malicious activity, they may merit further investigation, having received payments from an address linked to DPRK-attributed cybercrime.
  • Bc1q8xyt4jxhw7mgqpwd6qfdjyxgvjeuz57jxrvgk9 sent 0.512 btc to 3ByzggH211WiSPuqK6AvAGuvSE2dbduHvM on July 5, 2022.
    • 3ByzggH211WiSPuqK6AvAGuvSE2dbduHvM and eight co-spenders sent the funds received from Bc1q8xyt4jxhw7mgqpwd6qfdjyxgvjeuz57jxrvgk9 to twenty-five other addresses on July 5 as well.
    • Of the recipients, contributors to the same database discussed above have identified one, 3Hr3XpwdgKZNB2mh3jYvvqqkfT6rZUg7jb, as having previously received the proceeds of allegedly fraudulent activity. Transfers to this address from a ransomware-linked wallet address likely represent attempts to launder the proceeds of ransomware attacks.
      • The co-spend wallet addresses are:
        • 3C9eSonGW9P1SSwonwCGpLEUZy3tg8HfSK
        • 3QGvwcJoQHwj637xe42xYZ2guodmjH5nKS
        • 3FWnx7UDmHonsfjF61Qd9sLBmDrqvrP66T
        • 3Ceo3jA4BovXQ3uAx9o1y6jsV88AzVuqUY
        • 3QEZ5UEui9WMsKG9kkq1oThZJ6hYsEJTek
        • 3AHLMEe93jkvUQ1hQmYS9xNxzjujvFmVq7
        • 3AajkgTeDMyHymXoK3sE3RXRjrY5Xa2iQ3
        • 32jcUX6dSKfMhJb1HFn3UzTKJHZaEs8Hs4
      • The receiving wallet addresses are:
        • 37zeuNCtDAmy12ZtUVgpNHr9ES16efGRZc
        • bc1qmexft3d68g5h3a5eapunnpw4zknzfklqh82t95ep258lmf4tt8eq2yaafx
        • 3ABUWU2Cm8ufqt1LzqhXq4TmAvY1oeGP78
        • 1PJKKzF73k2hJp5ibK5yosPNNRXgbMxJB4
        • bc1qxf3x32dck2sqpvqjugwdpdwf9js0gm4nhdht74
        • 31ump9o6XoaxoHgUMmRJRBR8DxyvUQo4jf
        • 18ZAcGs7fpmWd9zQgXHjV2GSv1kDLypUho
        • 3Eqg22gy9XGTMpnKLUhK4HhH9bLQjUH5ck
        • bc1qgguavg3s90zvkw8aypav6pynjzqvtpvy0se7jd
        • 3Hr3XpwdgKZNB2mh3jYvvqqkfT6rZUg7jb
        • 1KsGHKEVH15PgpbYESn6Z9DryV9vjibFQ5
        • 1CWXDw536uGWSCqnWCSZigEssFPeaX4tpE
        • bc1qydt5nt83w92fc250jqmsprrtyuzjj8xdem4k36
        • bc1q0wtl8jqh6vzl6c3ga9j64xqq4k6dphycq8gu2x
        • 1HEBzUQcKxbyCN3jKnyTfzQwU3JXthya86
        • 1NEf2V65T51pAVHxq3xLDujYGVbmSreRMx
        • bc1qm284wzw6s8jhmvfq7ysa8yqzf3jp63z3qha4w8
        • 1PaZvD7WhMaJMG5UrrJb1qfAuQCK5vm21H
        • 1Ls3Pg4qQwkddzEHGPohgjiiMd9pKFLF8c
        • bc1qlh7ektxpna8vj66ykvth3xwwt5pfwf7axwtq5h
        • 3JUPjAbSJ5kYfkV38M7xvwvGPVBEWvTSnP
        • bc1qf235rvujehr4kar80znlpm2jpzpe8yj9rawkuf
        • 1KC95EV9LKw1S7HDdo86cCGYkbiwfbegZT
        • 1HV5bmtbokZgzzknJVQZiepi6ZFAqHGw8T
        • 1N6Z5sptgok1cLCxG9yoaHY3HUUE4GrXf3

Conclusion

While the netflow findings may reflect the targeting discussed in the warning, alternative explanations of this traffic merit consideration. The alert about this activity listed the IP addresses as IoCs because they hosted two domains that threat actors used to deliver malicious downloads. However, these are not the only domains hosted at these IP addresses; traffic to these IP addresses may reflect visits to different, benign domains they also host.

Moreover, a great deal of internet traffic still passes through educational and research institutions’ networks; these institutions furnished much of the internet’s early infrastructure and, as an inheritance of this early role, still route a great deal of traffic. As a result, traffic involving institutions’ IP addresses does not necessarily indicate targeting of those institutions.

That being said, given the communication with other IP addresses attributed to healthcare organizations and the centrality of educational institutions to healthcare and public health research, SecurityScorecard assesses with low confidence that this activity reflects the activity discussed in the recent warning, which specifically noted that the actors in question had targeted the healthcare and public health sectors.

Meanwhile, the bitcoin wallet addresses listed above may merit further investigation or monitoring, given their relationship with those named in #StopRansomware. The co-spending addresses may be controlled by the same threat actors using the wallet address alongside which they sent a payment. Meanwhile, the recipients of payments from these addresses may be involved in money laundering or providing other services to the actors using those wallets.