找回密码
 立即注册
首页 区块链新闻 查看内容
  • QQ空间

新的报告发现,朝鲜对XMR矿的开采在2019年增加了10倍,在线活动增加了300%

2020-2-14 17:28

网络安全组织Insikt Group发布的一份报告称,朝鲜的互联网使用在过去三年中显著增长。该组织指出,“自2017年以来,进出朝鲜网络的活动增加了300%”,其中一部分活动涉及monero (XMR)采矿。Insikt发现,自2019年5月以来,朝鲜挖矿隐私币的数量增加了10倍。尽管在这个共产主义国家,全球互联网只被精英政党使用,但据说为了避免西方制裁,加密技术被挖掘出来。该组织称,由于monero的匿名性,它可能“比比特币更有吸引力”。


Insikt集团关于朝鲜采矿活动的最新报告


私营网络安全公司“记录未来”(Recorded Future)旗下的Insikt Group刚刚发布了一份关于朝鲜互联网活动的新报告。报告发现,近几个月来,朝鲜的互联网使用量和monero的开采量都大幅增加。


“在这项研究中,Insikt集团使用多种工具,通过分析第三方数据、IP地理位置、边界网关协议(BGP)路由表、网络流量分析和开源情报(OSINT),考察了朝鲜高层领导人的互联网活动,”报告称。“这份报告分析的数据跨度为2019年1月1日至2019年11月1日。”


由于全球互联网的使用仅限于共产党政权的精英政党和政治官员,有关密码挖掘和网络使用的调查结果可能会被视为更具说服力。Insikt观察:


对朝鲜的政治和军事精英来说,2019年的数据显示,互联网不仅是一种魅力或休闲活动,而且是创造收入、获取被禁止的技术和知识、以及进行业务协调的关键工具。


该报告分析了全球互联网,只对这些政党开放,并没有把重点放在通过国内局域网“光明网”进行的活动上。

 

Monero采矿增加10倍


对于那些密码空间的人来说,这一发现可能最值得关注的是XMR在该领域的开采。集团称,截至去年11月持续观察小规模开采比特币,“Insikt细节,“交通容量和通信速率与同事保持相对静态的在过去的两年里,”,“我们仍无法确定哈希或构建。”


尽管此前曾有报道称朝鲜参与了比特币、莱特币和莫奈罗的开采、盗窃或生产,但Insikt强调:


根据我们的评估,截至2019年11月,我们观察到莫内罗的采矿活动至少增加了10倍。我们无法确定哈希率,因为所有活动都是通过一个IP地址代理的,我们认为该IP地址背后至少有几台未知的主机。


该报告引用了2017年的“Wannacry”勒索软件攻击,指出:“至少从2017年8月开始,Monero就被朝鲜运营商使用,当时Wannacry攻击中获得的比特币利润通过比特币混合器洗钱,并最终转化为Monero。”


该组织进一步阐述说:“Monero也不同,因为它被设计成由非专业机器开采,而且它的采矿港口往往按容量扩大。例如,许多矿工将端口3333用于低端机器,将端口7777用于高端、高容量的机器。“据观察,显著的增加发生在端口7777上,该组织补充说:


我们认为,这两个因素——匿名性和被非专业机器挖掘的能力——可能使Monero对朝鲜用户的吸引力超过比特币。


恶意软件,外国运营商,和DNS隧道-其他收入产生和混淆的手段


Insikt集团的报告还详细介绍了各种黑客计划和混淆技术,据信朝鲜利用这些技术来获取收入、逃避制裁,甚至“获取联合国制裁禁止的核相关知识”。


该组织指出:“脱北者还广泛谈论了外国在金氏政权的网络行动中所扮演的角色——许多人并不知情。”“从网络的角度来看,金氏政权利用第三方国家来培训和接待国家支持的运营商。”


至于恶意软件,与平壤有关的黑客组织“拉撒路”(Lazarus)就是一个例子,表明朝鲜政府可能利用虚假的“交易平台”来获取资金。正如news.Bitcoin.com上月报道的那样,已经发现了多个虚假交易平台,Telegram集团也被用来传递复杂的恶意软件。

 

Insikt集团报告称,随着域名系统(DNS)隧道技术的引入,朝鲜opsec的行为发生了进一步的变化。“DNS最初的目的是为了简化域名和IP地址的查找和关联,而不是为了保护这个过程,”该组织解释道。因此,由于DNS对网络的运行至关重要,所以DNS端口(通常是端口53)是开放的,流量相对来说没有受到仔细检查。


DNS隧道是指DNS过程不是用于域解析,而是用于网络或设备之间的数据传输或隧道。


报告坚持认为,尽管DNS隧道并不是什么新鲜事,但朝鲜用户似乎直到最近(2019年年中)才开始采用这种做法。

 

A report published by cybersecurity organization Insikt Group claims internet use in North Korea has grown significantly in the past three years. The group cites a “300% increase in the volume of activity to and from North Korean networks since 2017,” and part of this activity involves monero (XMR) mining. Insikt observes a tenfold increase in mining of the privacy coin by the DPRK since May 2019. Though the global internet is used only by elite parties in the communist nation, crypto is said to be mined in an effort to avoid Western sanctions, with monero likely “more attractive than Bitcoin” according the group, thanks to its anonymity.

 

New Report by Insikt Group on North Korean Mining Activity

Insikt Group, a division of private cybersecurity firm Recorded Future, has just released a new report on internet activity in North Korea which finds that both internet usage and mining of monero have increased drastically in recent months.

“For this research, Insikt Group examined North Korean senior leadership’s internet activity by analyzing third-party data, IP geolocation, Border Gateway Protocol (BGP) routing tables, network traffic analysis, and open source intelligence (OSINT) using a number of tools,” the paper states. “The data analyzed for this report spans from January 1, 2019 to November 1, 2019.”

As global internet usage is restricted to elite parties and political officials in the communist regime, findings on crypto mining and network usage can be viewed as all the more compelling. Insikt observes:

For the North Korean political and military elite, the 2019 data show that the internet is not simply a fascination or leisure activity, but is a critical tool for revenue generation, gaining access to prohibited technologies and knowledge, and operational coordination.

 

The report analyzes the global internet, accessible only to these parties, and does not focus on activity occurring via “Kwangmyong,” the country’s domestic intranet.

https://go.recordedfuture.com/hubfs/reports/cta-2020-0209.pdf

10x Increase in Monero Mining

For those in the crypto space, the finding likely to be most notable relates to mining of XMR in the regime. Stating that as of November last year the group has continued “to observe small-scale mining of Bitcoin,” Insikt details, “The traffic volume and rate of communication with peers has remained relatively static over the course of the last two years,” and that “we remain unable to determine hash rate or builds.”

While North Korea has previously been reported to be involved in the mining, stealing, or generating of bitcoin, litecoin, and monero, Insikt emphasizes:

By our assessment, as of November 2019, we have observed at least a tenfold increase in Monero mining activity. We are unable to determine the hash rate because all of the activity is proxied through one IP address, which we believe hosts at least several unknown machines behind it.

The report cites the “Wannacry” ransomware attack of 2017, noting: “Monero has been used by North Korean operators since at least August 2017, when the Bitcoin profits from the Wannacry attack were laundered through a Bitcoin mixer and ultimately converted to Monero.”

The group further elaborates: “Monero is also different in that it was designed to be mined by non-specialized machines, and its mining ports tend to scale by capacity. For example, many miners use port 3333 for low-end machines, and port 7777 for higher-end, higher-capacity machines.” The notable increase is observed as occurring over port 7777 according to the group, which added:

…we believe that these two factors — anonymity and the ability to be mined by non-specialized machines — likely make Monero more attractive than Bitcoin to North Korean users.

 

 

Malware, Foreign Operators, and DNS Tunneling — Other Means for Revenue Generation and Obfuscation

 

Insikt Group’s report also details various hacking schemes and obfuscation techniques thought to be used by DPRK to generate revenue, evade sanctions, and even “to acquire nuclear-related knowledge banned by U.N. sanctions.”

 

“North Korean defectors have also talked extensively about the role that foreign countries play — many unknowingly — in the Kim regime’s cyber operations,” the group notes. “From the cyber perspective, third-party countries are used by the Kim regime to both train and host state-sponsored operators.”

 

Regarding malware, Pyongyang-linked hacker group “Lazarus” is one example of how the North Korean government may be leveraging fake “trading platforms” to generate funds. As news.Bitcoin.com reported last month, multiple fronts for phony trading platforms have been discovered, and Telegram groups were also leveraged to deliver sophisticated malware.

 

 

 

 

The Insikt Group report further details changes in North Korean opsec behavior, with the incorporation of domain name system (DNS) tunneling. “The original intent for DNS was to ease the lookups and associations of domains and IP addresses, not to secure that process,” the group elaborates. “As a result, and because DNS is so critical to a network’s operation, DNS ports (port 53 typically) are left open, and traffic is relatively unscrutinized.

 

 

DNS tunneling is when the DNS process is used not for a domain resolution, but for data transfer or tunnel between networks or devices.

 

The report maintains that though DNS tunneling is nothing new, North Korean users appear to have introduced the practice just recently, in mid-2019.

 

 

来自: bitcoin.com