Bureau 121 – Who are they?

The Bureau 121 took the lime light recently after accusations that they where behind the WannaCry attacks that affected multiple countries. Although it was never confirmed by the North Korean government, a number of reports have pointed towards North Korea.

They are said to have around 1,800 members that are hand-picked from university and then trained for an additional 5 years before being given their assignment. These assignments could be across the globe, as an incentive they are promised that their family’s will receive greater privileges.

They have been accused of a number of significant and high-profile cyber attacks, these include the WannaCry virus and the attack on Sony.

Just after the WannaCry virus took the world by storm I speculated that there could have been North Korean involvement. This was later confirmed by both the UK and US government. Although the North Korean government have never officially taken credit for the attack.
The hacks that affected Sony Pictures before the release of the movie The Interview were also alleged to have been carried out by North Korea. This was later backed up by security researchers who reported that some of the code used in the hack was written in Korean. Although it was again never officially confirmed it is quite easy to see the connection.

They are also said to conduct regular cyber-attacks aimed at South Korea, this has affected a number of different sectors including banking and broadcasting companies. During 2013 it was alleged that an infected smart phone application was the result of Bureau 121.

While Bureau 121 are not a hacktivist or cyber crime group, they have been causing havoc across the globe and raging cyber-warfare. I find it almost baffling that in a country with such poor human rights and such a poor quality of life that there is a division of the Korean Government who have the ability and skill set to disrupt and damage computer systems across the globe.

Source: CNN, Business Insider, The Market Mogul, BBCNews Week

What is a Keylogger?

Anyone using a decent anti-virus program and has contracted a virus may have seen a keyloger. But what are they and how can they affect your daily life?

The origins of keylogger applications where within a business environment to monitor staff, the method of keylogging was also used by law enforcement to monitor criminals activities.
There are a large number of keyloggers online that can be used in this way to alow for business to monitor their employees (Invasion of privacy or not some companies will monitor their staff and it very likely that it will have been written into their contracts.)

But as with many elements within the digital domain, it wasnt long after the conception of these application a criminal entities saw the use and benefits of keyloggers. I mean what could be better than being able to monitor a targets keystorkes from an external location.
Think about the amount of personal information you type into your system everyday, passwords, user names and credit card numbers. By combining all of these bits of data there are numarous amount of crime that can be committed.

The methods for attack can range from a simple hardware based keylogger that can be incredibly difficult to find and detect unless you know what you are doing. The image below show 2 of the hardware based keyloggers than can be used to monitor your keystrokes. These little devices get connected between the keyboard and the compter. In some instances these devices can detect the keystrokes even before the operating system.
Some of these devices require the attacker to go and physically collect the device in order to retrieve the data.
Some of the more sophisticated device of this nature alow for remote connection, meaning that the attacker can collect and almost unlimited amount of data.

hardware-keylogger
2 hardware based keyloggers (On the right is a PS2 connection & On the left a USB connection)

Software based keyloggers are a much more favored method of attack as it requires no physical access to the target system and can be deployed across and almost unlimited number of devices at no cost to the attacker.
They can be deployed via any number of methods to deploy malware. From downloading a malicious file and it being executed from there.
Much in the same way a hardware keylogger sends the recorded keystorkes to an external server, software based keyloggers can also be used to send data to a remote location.

While it might seem like a complex and daunting task to develop and build an application of this nature it is actually much easier that one would initially think. After a simple google you can find 100’s of tutorials and examples of code online.

Meaning that anyone from a casual script kiddie to a experienced programmer can develop a keylogger. Granted the methods used to develop the applcation would vary on the skill set of the attacker, the end result would ultimitly be the same.

Current Research Focus

For anyone who’s taken the time to view the about us section of Michael Talks Tech, they will see that I am currently in my final year of university. As a result Michael Talks Tech has had to take a step back due to the amount of work I am dealing with at the moment.

My current research focus is within the domain of malware, I felt this was the best move for me due to my background and general interests.

Narrowing down the broad spectrum that is malware to a specific focus has led me down the path of Keyloggers. I found this domain intriguing as it allowed for my research to cover Cyber Security and loosely link into a small amount of Social Engineering.

As part of my research I have also been developing methods to scan and search for keyloggers on a system, this has led me down the path of MD5 signatures. Although I am aware that the method of detecting malware using MD5 signatures is a slightly outdated method (In comparison to self learning detection methods)

This further led me down the path of machine learning to detect for malware using both MD5 signatures as well as the sandboxing method. Sandboxing is an interesting method deploy as it requires the program to run the application in a ‘Sandbox’ environment and from their it will check the suspected applications interactions with the operating system.

There is currently a prototype application in development aimed at detecting and removing malware applications. And as a result of all this I have been having to put Michael Talks Tech on the back burner as it was becoming almost a fulltime job in regard to a number of the post that I have done and the research required for them.

Hopefully in the new year I will be able to start posting regularly again, as it is something that I find both interesting and also fun to do. Stay posted for much more to come!

UK Goverment Confirms WannaCry Speculation

Last week reports emerged of the UK government confirming their suspicions of WannaCry being a state sponsored attack involving North Korea.

Earlier this year, just after WannaCry came to prominence I wrote an article What is WannaCry.  In which I speculated due to the nature and style of attack, it did not appear to follow the traditional Ransomware style. What I mean by this is, from the outset WannaCry was targeting and effecting core infrastructure as well as the Public sector in the UK. Resulting in WannaCry becoming somewhat of a disruption, as a rule Ransomware attacker aim to make the process of decrypting the data as smooth and straight forward for the victims as possible. This is likely due to them being after one thing, money. Mozilla conducted an investigation as part of there Online Life is Real Life podcast series a from their investigation they rated Ransomaware customer services. This highlights how the process of ransomware cannot be to complicated as it will reduce and limited their overall ability to collect the ransom

But there are numerous article floating around the web that indicate WannaCry made between $20,000 – $100,000. For an attack of this level that impacted hundreds of thousand of people it was a very poor take.
But the level of chaos and “denial of service” that WannaCry caused indicated to myself that their was more to it than just the money. I am aware that the traditional sence a denial of service or DDoS is targeting web services and flooding them with packets. But in this case WannaCry effected ATM machine as well as computer within hospitals, effectively denying service to them.

Of course the North Koreans released a statement to the effect of them having no involvement and that these accusations are nothing but wild speculation. But it is important to consider that this “speculation” was floating around from the beginning of WannaCry and was stated by a number of security research teams that looked into WannaCry. As well as this, the UK government would not make these accusations without a substantial level of evidence.

The north Koreans have in te past been accused of other attacks, mainly the attack on Sony. This attack was alleged to have happened due to the upcoming release of movie The Interview.

Please let me know your views on the North Koreans involvment in WannaCry in the comments below.