The Asian dark web is not well known. Most people just think of Russia when thinking about underground hacking forums. To gain a better understanding of Asian onion sites and black markets, researchers from IntSights embarked on a six-month long investigation and analysis.
The results, published this week at Black Hat, show a diverse, culturally sensitive and wider than perhaps expected Asian dark web. Along with the report, IntSights’ director of threat research, Itay Kozuch, took SecurityWeek on a guided tour of the Asian dark web.
We started at the Hidden Wiki, a South Korean page that bookmarks other sites in the dark web all over the world. “It’s been live for a few years, and is being maintained on a regular basis,” explained Kozuch. The page is organized in sections and even provides an ‘editor’s choice’ selection. It provides links to whatever the existing or budding hacker or underworld character might be looking for: bank accounts, card details, advice, drugs, porn, fake passports and IDs, UK driving licenses, firearms and more.
“It’s a good place to start a foray into the dark web,” said Kozuch. Despite this expansive index onto blacker parts of the dark web, the IntSights report, “At the moment, there are no significant threat actors that operate out of South Korea.”
Our next stop was deeper into the dark web: Mushroom, a Chinese black-market site specializing in the sale of drugs. “The most important feature for the researcher,” continued Kozuch, “are the prices. They are all in Chinese Yuan, not as we usually see in dark websites, bitcoin or other cryptocurrency.” This is because cryptocurrencies are forbidden in China and the site primarily serves Chinese nationals — although it does offer advice on how to obtain bitcoin and is willing to ship produce outside of China. The price is also 30% to 40% lower than is typically found in western black markets.
From there we moved to Japan. The Japanese dark web has one major difference to other parts: it is remarkably polite. “Many Japanese users view it as an alternate universe,” says the report, “where they can express themselves and have harmless discussions, just behind the mask of an anonymous avatar. It is not uncommon to see diaries and blogs on the Japanese dark web.” It is more about obtaining things, such as drugs and porn, than about facilitating hacking. One even asks the visitor to suggest a price for the products.
We visited the Japanese branch of Anonymous, which is a bit of an exception. “Its primary purpose is protest against the Japanese government on environmental issues,” explained Kozuch. Two current ops are Hope Japan and Hope Fukushima. “Anonymous accuses the Japanese government of hiding information about what really happened in the nuclear plant, and the extent of pollution in the seas around Japan.” The website directly calls for attacks against Japanese government websites, and Anonymous is willing to provide what is necessary — methodologies for DDoS, SQLi, XSS and other attack vectors.
We then visited another Japanese language site that is a bit different — a site that buys and sells information, focusing on military intelligence, documents, protocols, science, and technology, “What’s really remarkable,” added Kozuch, “is that this site is not typically Japanese in flavor. Japanese sites usually handle drugs and porn. After analyzing the style and content, “We came to the conclusion that this is not a Japanese website at all. The Japanese would never be so direct and forthright. We suspect that the people behind it are North Korean, which has its problems with Japan.” The report adds that it may be a North Korean (or Chinese) group “that is attempting to gather intelligence for some attack on or operation in Japan).”
We also visited another Anonymous site in Thailand (this one is offering a free database of 30,000 FBI and DHS officers stolen in 2016); and a hacking forum/black market in Indonesia (providing free downloads of malware and exploits).
The main focus, however, was on China, and we visited three more websites. Surprisingly, none of these are onion sites. They are dark sites to anybody outside of China because of the Chinese firewall, but in the clear web to Chinese nationals. The first offers DDoS as a packaged service — a fairly unique offering selling different options of strength and duration. “The largest offering,” Kozuch pointed out, “is for a 500 Gb attack with unlimited connections.”
The second, known as QQ, is a hacking forum designed as a combination of different social media platforms and providing communication tools such as QQ groups, QQ forums and private chatrooms.
The last was Hack80, a hacking forum more in line with the better known Russian underground forums. “It offers everything you might find in the traditional Russian hacking forums,” said Kozuch: “bitcoin mining tutorials, hacker toolkits, malware and so on. You can ask about and get almost anything — if you’re Chinese, of course. You cannot ask questions or get answers in English.” This isn’t surprising since the site is in the clear web, and thus only visible to Chinese nationals (IntSights was using a very specific VPN for the research and this tour).
Kozuch believes it is time for the West to take the Chinese dark web more seriously. “We usually like to look at the North Koreans and the Russians as the primary attackers; but I believe that the Chinese offer is more sophisticated with more capability than we have realized. Many of the next threats that we are going to see will come from China.”
The fact that so many dark Chinese sites are on the Chinese clear web raises the question of collusion between the hackers and the government. Kozuch does not believe that the existence of hacking sites in the clear web automatically means they are permitted by the government, or that the hackers work for the government. It is perfectly feasible for these sites to hide in plain sight given the size of the Chinese internet.
“I think there is a big element of private cybercrime groups that operate from China that we were simply not aware of,” he told SecurityWeek. “It is more comfortable to blame the APT groups we already know about, but I think this research shows how much knowledge and how much capability that private groups have, and how they communicate and what kind of tools they are using.”
He suspects that we often automatically blame APT groups simply because the attack comes from China; but the perpetrator may well be an unknown private group. “Usually, APT groups (with the exception of North Korea) are not after money — they’re after intelligence or to steal intellectual property. I believe that in some cases there are Chinese threat actors that we simply aren’t aware of.” As in Russia, many of the Chinese threat actors will focus on targets outside of China so as not to draw the attention — and ire — of the local police.
But this doesn’t mean there is no collusion at all between the criminal groups and the Chinese government. “I haven’t found any evidence that private groups are sub-contracting for the government,” he continued, “but I really believe that it is happening — like in many other places around the world. Sometimes the government doesn’t have all the capabilities it needs, so it uses sub-contractors who will deliver the skills provided the government allows them to continue their own operations outside of China. There are examples of known Chinese hackers that are now running their own security firms. Nobody turns from crime life to become whitehats for no reason and without any consequences. I really believe that there are all kinds of groups that enjoy government protection because they provide services to the government when it needs it. Give and take rules.”
“The Asian dark web,” concludes the IntSights research, “is relatively small compared to its counterparts in Western countries, such as the United States and Europe. However, this doesn’t mean that it poses less of a threat. In fact, due to the laws and political motivations of these countries, the risk to non-Asian companies is significantly higher.”
Israel-born startup IntSights Cyber Intelligence raised $17 million in a Series C funding round led by Tola Capital in June 2018; bringing the total capital raised by the firm to $41.3 million. IntSights was founded in 2015 by Alon Arvatz, Gal Ben David, Guy Nizan.
Keeping it on the Down Low on the Dark Web
Sites on the Dark Web Have Several Motivations to Unmask Their Visitors
So, there you are, finally on the private sections of a dark market. You have established reputation and credibility with your targets. Suddenly, you get exposed as a “rat” and banned for life. They grab your escrowed cryptocurrency, and you are back at square one with a foe who is even more alert than before… How did this happen?
The dark web is an active area for online investigations and research. Because you need to use the Tor anonymity service to access dark web sites, also known as Tor hidden services, many people assume that makes them robustly anonymous. Unfortunately, there are still many ways you can be exposed and have your activities compromised if you don’t take the right precautions.
Sites on the dark web have several motivations to unmask their visitors. Obviously, they want to spot any members of law enforcement who might be visiting. Additionally, they might want to gain some sort of leverage over their visitors, who may be using the site for a number of questionable activities.
There are several known attacks against the Tor network and other similar low-latency anonymity networks. One class of attacks, called traffic confirmation attacks, is based on having control of a significant fraction of the most popular Tor nodes. If the attacker controls the first hop in a chain (the guard node) as well as the last (the exit node), then creates a pattern in the data at one end of the chain, it can be recognized coming out at the other. Fortunately, it is not easy for an attacker to get control of enough nodes to carry out this type of attack, likely because there are thousands of active nodes a given user could choose.
The situation is different with a dark web site. If the site wants to identify a visitor, the site owner only needs to have you use a guard node they control. Because they control the web servers, they always have the ability to inject patterns of activity. Requiring only a single controlled Tor node makes the odds of this attack working much higher.
Bitcoin provides another method of identity exposure. Contrary to popular belief, Bitcoin is not anonymous at all. Every single Bitcoin transaction is recorded in the public blockchain and can be seen and analyzed by anyone. Bitcoin is a dominant payment mechanism on dark web marketplaces. When you buy or sell something on these sites it creates an opportunity for tracking and identification. All coins that were mined by the same server or purchased into the same wallet can be followed. This can easily tie investigations together and reveal odd patterns of activity. With access to information in the bitcoin exchanges, it can even lead to real names or IP addresses.
Dark web sites are also a likely source of malware that can unmask you. Unless your entire operating environment is isolated from your real desktop, the malware may leak your real IP address and other identifies. Of course, it can also directly steal data off your computer and do all the other things malware normally does.
Non-technical errors can trip you up as well. While not specific to exposure on the dark web, things like your writing style and choice of account names can reveal your true identity. Site operators can also pass you beacons and canary traps. Beacons are active content that try to phone home with identification when they are opened. Viewing these documents and files on a normal desktop will immediately expose you. Canary traps are more subtle. A website can provide slightly different versions of certain content to each visitor. Any time that content shows up somewhere else, the site knows who shared it.
The rate at which dark web markets are being compromised, in one way or another, has gotten high enough that much of the online criminal activity has moved to new platforms. Rather than communicating in forums on dark web sites, there has been a shift toward one-to-one communication applications that provide end-to-end encryption. This may make investigations more difficult, because there is no central location for discussions. Establishing trust and communication will be much more difficult.
Hiding your true identity is always important whenever you are conducting investigations online. The fact that you are visiting a Tor hidden service / dark web site does not mean you are safe or hidden. It is critical to take additional steps to protect yourself when conducting these operations.