Much of the world was glued to their television screens or laptops June 12 watching the livestream of the summit meeting between the U.S. President Donald Trump and North Korean leader Kim Jong Un. To say the event was an orchestration would be an understatement: As one would expect, Singapore locked down the physical security of the meeting locale, allowed both parties to bring in planeloads of vehicles and support entourage and participate in their own security.
Keeping China, South Korea, Japan and Russia in the Loop
Many countries had curiosity and some had vested interest in the outcome of the meeting of the two leaders—especially China, South Korea and Russia, which all share a land border with North Korea, and Japan, which always seems to be in the flight path of those North Korean “test missiles.” Bilateral meetings and phone calls were the norm between leaders and emissaries of both North Korea and the United States to keep these four nations in the loop on what was transpiring.
Did Russia Choose to Verify?
The researchers at F5 Labs published a report June 15 indicating the Russians were also present, albeit covertly. In their report, the researchers indicate that, between June 11 and 12, F5 and its data partner Loryka saw cyberattacks targeting Singapore skyrocket—and 88 percent of those originated from Russia. The report noted that 97 percent of global attacks originating in Russia were pointed at Singapore.
Clearly, one would conclude that that someone or an entity in Russia had invested considerable resources to draw information out of Singapore during the period when Trump and Kim were present and engaged.
What Did These Russian Cyberattacks Target?
F5 tells us:
- The attacks targeted VoIP phones and IoT devices.
- The attacks against the VoIP phones were initiated in Brazil.
- Reconnaissance scans were largely from a singular IP address in Russia—188.8.131.52.
On June 12, F5 estimates 40,000 attacks were launched, with 98 percent deemed reconnaissance scans looking for “vulnerable devices” and the other 8 percent “exploited attacks.”
Additional attacks, 34 percent of the attacks June 12 were attributed to Russia and the remainder to attackers using IP addresses associated with China, United States, France and Italy. Of these, only those from Brazil and Russia targeted VoIP-associated ports. See image below from F5 on the level of activity observed.
The spike of Singapore as a “targeted location” is an anomaly, one that coincided with the Trump-Kim summit. They note no “malware” was associated with these attacks against Singapore from Russia. The attacks, they note, against port 5060 “came primarily from Brazil.”
F5 analysts assume “that the attackers were trying to gain access to insecure phones or perhaps the VoIP server.” They further opined, “If any devices in Singapore had this port (Port 7457) open and were protected with default admin credentials, it is likely the attackers gained access and used man-in-the-middle attacks to intercept traffic through those devices, collecting data, redirecting traffic, and so on.”
I queried F5 whether these attacks originating from Brazil and Russia could have been initiated by someone other than Russia—a false flag, perhaps. Sara Boddy, director of F5 Labs, responded, “It is. We know the attacks came from systems in Russia, but anyone anywhere in the world can rent systems from that hosting provider in Russia that was launching the recon scans (the IP we disclosed). Because attacks from countries like Russia, China, Brazil go relatively unpunished, attackers use systems in those countries to launch attacks from.”
Attribution isn’t easy, and in this case, F5 noted in its report: “No attempt appears to have been made to conceal the attacks launched from Russia.”
Perhaps it is as it seems, as Russia clearly had a vested interest in verifying what it was being told by North Korea and/or the United States with its own technical collection sounding board.
That said, so did a number of other technically competent countries. Could the lack of attempt to hide the Russian attribution be a bit of operational gyration by the attacker? The offensive collection playbook has always said, “Give those doing the investigation something to find, and someone to blame.”
We may never know.
But one thing we do know, this is far more interesting than the USB drive fans made in China that were handed out to all of the media representatives present at the summit. Unless of course, each of them had a nefarious purpose beyond blowing hot air.