March 27 2025 GM: Difference between revisions

Target Threats Research - A Breakdown of 3 Years of Civil Society Threat Research in South & North Korea

• Date: Thursday, March 27
• Time: 9am EDT / 1pm UTC
• Facilitator: Mardiya
• Featured Guest: Ovi
• Where: On TCU Mattermost "IF Square" Channel.
  • Don't have an account to the TCU Mattermost? you can request one following the directions here.

Join us on 27 March to hear from Ovi, a security researcher and threat analyst with over 10 years of experience, who will be taking us through:  

• A broad analysis of threats faced by CSOs in Korea, based on 100+ real-life events and threat research analyses conducted over the past 3 years.
• A summary of attack vectors faced by CSO's in the region
• Highlighting some of the most sophisticated attacks, explained in simple terms for non-techy folk

Featured Guest:

I am Ovi (pronounced Ovie), I have been a security researcher for over 10 years, with what started as a hobby (hacking) when I was a teenager. I work directly with civil society on threat research (spyware and malware), penetration testing/security assessments and building technology with a focus on undeserved regions (in the context of threat research). I work with groups such as Security Matters Asia, Centre of Digital Resilience, Open Tech Fund and I have a project called BARGHEST, which is a civil society hacktivist collective with aims to decolonize and democratize threat research.

What is Glitter Meetup?

Glitter Meetup is the weekly town hall of the digital rights and Internet Freedom community at the IF Square on the TCU Mattermost, at 9am EDT / 2pm UTC. It is a text-based chat where digital rights defenders can share regional and project updates, expertise, ask questions, and connect with others from all over the world! Do you need an invite? Learn how to get one here.

Notes

Can you tell us what the threat research is about, how it started, why, and a summary of what it touches on?

• It started with a project working with helplines and CSO's in Korea and the idea was to incubate the idea that we could create a small, focused threat lab responsible to threat research of malware and other attack data happening to human rights defenders in Korea. We wanted to find high sophistication attacks and bring over threat intelligence principles and methods such as data clustering and correlation into the picture too. https://www.0x0v1.com/targeted-threats-research-south-north-korea/
• Down stream the ultimate goal was to allow the helplines to have informed threat intelligence, and also demonstrate that civil society groups with the right resources can identify spyware and uncover novel attacks to best protect the CSOs.
• So it touches on a few things really -- uncovering sophisticated attacks to CSOs in the region, highlighting methods for how civil society groups can do this themselves, and how civil society doesn't necessarily need big tech to provide the intel.

Lets break it down a bit, what does the threat landscape of North and South Korea look like? And what were some of the key finding on these areas, i.e the attacks, and methods for CSOs to do assessments themselves etc.

• CSO's working on NK human rights across the peninsular really are underthreat by one of the worlds most sophisticated hacking groups (what threat intelligence industry calls 'threat actors'). So in terms of a landscape for digital threats, it's a very scary one. North Korea over the years have been responsible for some of the most highly sophisticated 0-day, spyware and malware campaigns and have a political landscape that makes them unaccountable for their actions – with a huge amount of financial resources to invest in it So really there's many compounding issues that CSO's face with the attacks that are occurring.
• I think one of the key findings is that we found a new novel spyware which I called "RambleOn" (Easter egg: After the Led Zepplin song, as that was playing in the background when I found it).
• This malware was highly sophisticated, very intricate and used cloud services to operate making it very stealthy. At the time of finding it no AV detections in place for it; but after the research was published on it, there was nearly entire coverage from all AV companies across all it’s variants which is a huge win for defending activists in the region. This type of self-directed action is really what I'm all about, cause if we can make the big tech accountable by publishing research like this, we actually defend HRD's better.
• In terms of methods for CSOs to do it themselves, really this is what my project BARGHEST (https://barghest.asia/en/) is about, which we can talk about later if you like. But really it's about capacity building and making the tools available and understood. With Barghest (https://barghest.asia/en/) we are trying to do is build tools that can facilitate practitioners to self-direct threat research and forensics and then build capacity from that. some of my work is with CDR who are doing the same things too https://digiresilience.org/

In your research you mentioned that CSOs have direct access to victims' experiences, devices, and infrastructure, how does this better position them to assess threats and provide supporting mechanisms to victims?

• What's distinctive about threats faced by HRDs in Korea is that they have one of the worlds most sophisticated actors targeting them -- a actor who is extremely well funded, persistent and has to face no accountability for their actions cause they are heavily sanctioned anyways... I think this is similar to other regions too across Asia, Latin America and Africa... all of which have little research being done on high sophistication attacks, at least at the scale iit is in North America and Europe etc.

Is this the same for South Korea? Or this covers both locations?

Yeah South Korea too sorry should have clarified that. I would also say the technology stack is different, part of my work is to really think about how we can facilitate public interest technologists, security practitioners and helplines to self-direct and facilitate their own research in these locations. And also build supporting tech that can support that region, like for instance scope for identifying spyware on Android – which is underserved heavily by threat labs in civil society, despite representing like 72% of the global mobile market share.

Android is 72% of the global mobile market share, or spyware on Android?

• Android devices like phones, tablets etc. Spyware research is largely focused on iOS because it has the log retention is good to detect and identify spyware makes it easier,, but android is more complicated and there doesn't seem much work being done to overcome that.. which means regions like Asia, Latin America, Africa who have a majority android users -- how do we identify spyware in those regions better? Those are the things I'm trying to figure out.

So you are saying if we facilitate technologists and security practitioners to self-direct and facilitate their own research there will be more insight on the threat landscape and modeling in different locations. But so many training of trainers have happened but the research is still not coming out? Whats the breakdown?

• Totally, I'm posing questions of how do we decentralize threat intelligence, and rather than focus on capacity building human skills, how do we acutally build tech that can meet those humans where they are already at to do this.

What is very interesting to me is how much you uncovered over the three years. I was reading the findings and thinking how detailed it was. I am very curious, what methodology did you use to conduct the research?

• We conducted security audits. I work with digital security practitioners who would do security audits for CSOs.
• When they find forensic artifacts, like malware, phishing emails etc, I would take this data, index it and document it using the Diamond Model (https://www.recordedfuture.com/blog/diamond-model-intrusion-analysis), in a system like MISP (https://www.misp-project.org/). This helps build context, connections and insights.
• CDR are also working on a simpler version of this for less technical folk: https://digiresilience.org/

It seems that a lot of threat detection tools, training and intelligence are oriented to malicious state or state-sanctioned actors. Does the same intelligence and digital security practice apply to non-state actors and interpersonal actors who threaten minorities, journalists and HRDs?

• Yep totally. I think that's really important that we create decentralized "micro threat labs" kinda thing, that are making threat data ACTIONABLE and able to inform CSO's and activists in their region on what threats they are currently facing and likely TO face, now.

Can you say more about BARGHEST?

• Yes , so BARGHEST is a project that we started this year to incubate and facilitate CSOs across the world to self-direct threat research for their region. We're currently in the process of developing 2 open-source technologies that support forensics and spyware detection on Android. But in the grand scheme of things, the projects bio is this:
• "We are a non-profit collective of public interest technologists working within and for civil society. The mission is to create an ecosystem where we can empower and build resilience for public-interest technologists. Providing them with the tools, knowledge, and autonomy to investigate digital threats—without relying on bottlenecks, big-Tech or proprietary, closed-source solutions." Really we aim to decolonizing and democratizing threat research.
• We have a website but it's not got much on it, in the next few months we'll be releasing the technology behind it https://barghest.asia/en/

What does it stand for? Also are there any additional things your are working on which will like to share?

• Barghest is a mythical from old English folklore stories (I'm originally from UK) so it was just something that felt right, when dealing with such beastly things.
• I'm also working on some great projects with https://SecurityMatters.Asia , we're supporting CSOs in Malaysia, Hong Kong, Cambodia and Thailand and we're collaborating with https://digiresilience.org/ on their technologies to help support helplines and threat data sharing/mapping.