Korean Energy and Transportation Industries attacked by OnionDog APT

Chinese security researchers from cyber-security vendor, Qihoo 360 have blown the lid on a hacker group, ‘OnionDog’ which has been infiltrating and stealing information from the energy, transportation and other infrastructure industries of Korean-language countries through the Internet.

Big data correlation analysis tracked the hacker group’s first activity to October 2013 and in the next two years it was active between late July and early September.

OnionDog has used an arsenal of Trojans and USB worms for its targets.

The trojan, which only lives on average for about 15 days, was used to exfiltrate data from targeted companies and government agencies while the USB worm was developed as a Stuxnet-like threat which could reach targets that were not connected to the Internet.

OnionDog concentrated its efforts on infrastructure industries in Korean-language countries.

In 2015 this organization mainly attacked harbors, VTS, subways, public transportation and other transportation systems but in its preceding year, it attacked many Korean companies activating in the energy and water supply sectors.

360's Threat Intelligence Center found 96 groups of malicious code but all of it was programmed to self-delete, with no malware variant living more than 29 days.

Researchers also discovered 14 (command and control) C&C domain names and IP related to OnionDog which in 2015 were moved to the Darknet, operating via the Onion City Tor2web technology.

With average life cycle of 15 days, it became more difficult for the victim enterprises to notice and take actions than those active for longer period of time.

OnionDog's attacks were mainly carried out in the form of spear phishing emails which contained Trojan-laced executables that used the icon of popular Korean Word processing software called Hangul.

Later in 2015, the group switched tactics and started leveraging software vulnerabilities in the Hangul editor to download and install their malware automatically.

Similar, Hangul vulnerability seems to have been used by the Lazarus group, the APT suspected to have carried out the infamous Sony hack.

Even if nobody said the Lazarus group was operating from North Korea, all clues pointed toward that conclusion, and all clues point to the same conclusion for OnionDog as well.

Share this with Your friends: