A Guided Tour Of The Asian Dark Web

The Asian dark web is not well known. Most people just think of Russia when thinking about underground hacking forums. To gain a better understanding of Asian onion sites and black markets, researchers from IntSights embarked on a six-month long investigation and analysis.

The results, published this week at Black Hat, show a diverse, culturally sensitive and wider than perhaps expected Asian dark web. Along with the report, IntSights' director of threat research, Itay Kozuch, took SecurityWeek on a guided tour of the Asian dark web.

We started at the Hidden Wiki, a South Korean page that bookmarks other sites in the dark web all over the world. "It's been live for a few years, and is being maintained on a regular basis," explained Kozuch. The page is organized in sections and even provides an 'editor's choice' selection. It provides links to whatever the existing or budding hacker or underworld character might be looking for: bank accounts, card details, advice, drugs, porn, fake passports and IDs, UK driving licenses, firearms and more.

"It's a good place to start a foray into the dark web," said Kozuch. Despite this expansive index onto blacker parts of the dark web, the IntSights report, "At the moment, there are no significant threat actors that operate out of South Korea."

Our next stop was deeper into the dark web: Mushroom, a Chinese black-market site specializing in the sale of drugs. "The most important feature for the researcher," continued Kozuch, "are the prices. They are all in Chinese Yuan, not as we usually see in dark websites, bitcoin or other cryptocurrency." This is because cryptocurrencies are forbidden in China and the site primarily serves Chinese nationals -- although it does offer advice on how to obtain bitcoin and is willing to ship produce outside of China. The price is also 30% to 40% lower than is typically found in western black markets.

From there we moved to Japan. The Japanese dark web has one major difference to other parts: it is remarkably polite. "Many Japanese users view it as an alternate universe," says the report, "where they can express themselves and have harmless discussions, just behind the mask of an anonymous avatar. It is not uncommon to see diaries and blogs on the Japanese dark web." It is more about obtaining things, such as drugs and porn, than about facilitating hacking. One even asks the visitor to suggest a price for the products.

We visited the Japanese branch of Anonymous, which is a bit of an exception. "Its primary purpose is protest against the Japanese government on environmental issues," explained Kozuch. Two current ops are Hope Japan and Hope Fukushima. "Anonymous accuses the Japanese government of hiding information about what really happened in the nuclear plant, and the extent of pollution in the seas around Japan." The website directly calls for attacks against Japanese government websites, and Anonymous is willing to provide what is necessary -- methodologies for DDoS, SQLi, XSS and other attack vectors.

We then visited another Japanese language site that is a bit different -- a site that buys and sells information, focusing on military intelligence, documents, protocols, science, and technology, "What's really remarkable," added Kozuch, "is that this site is not typically Japanese in flavor. Japanese sites usually handle drugs and porn. After analyzing the style and content, "We came to the conclusion that this is not a Japanese website at all. The Japanese would never be so direct and forthright. We suspect that the people behind it are North Korean, which has its problems with Japan." The report adds that it may be a North Korean (or Chinese) group "that is attempting to gather intelligence for some attack on or operation in Japan)."

We also visited another Anonymous site in Thailand (this one is offering a free database of 30,000 FBI and DHS officers stolen in 2016); and a hacking forum/black market in Indonesia (providing free downloads of malware and exploits). 

The main focus, however, was on China, and we visited three more websites. Surprisingly, none of these are onion sites. They are dark sites to anybody outside of China because of the Chinese firewall, but in the clear web to Chinese nationals. The first offers DDoS as a packaged service -- a fairly unique offering selling different options of strength and duration. "The largest offering," Kozuch pointed out, "is for a 500 Gb attack with unlimited connections."

The second, known as QQ, is a hacking forum designed as a combination of different social media platforms and providing communication tools such as QQ groups, QQ forums and private chatrooms. 

The last was Hack80, a hacking forum more in line with the better known Russian underground forums. "It offers everything you might find in the traditional Russian hacking forums," said Kozuch: "bitcoin mining tutorials, hacker toolkits, malware and so on. You can ask about and get almost anything -- if you're Chinese, of course. You cannot ask questions or get answers in English." This isn't surprising since the site is in the clear web, and thus only visible to Chinese nationals (IntSights was using a very specific VPN for the research and this tour).

Kozuch believes it is time for the West to take the Chinese dark web more seriously. "We usually like to look at the North Koreans and the Russians as the primary attackers; but I believe that the Chinese offer is more sophisticated with more capability than we have realized. Many of the next threats that we are going to see will come from China."

The fact that so many dark Chinese sites are on the Chinese clear web raises the question of collusion between the hackers and the government. Kozuch does not believe that the existence of hacking sites in the clear web automatically means they are permitted by the government, or that the hackers work for the government. It is perfectly feasible for these sites to hide in plain sight given the size of the Chinese internet.

"I think there is a big element of private cybercrime groups that operate from China that we were simply not aware of," he told SecurityWeek. "It is more comfortable to blame the APT groups we already know about, but I think this research shows how much knowledge and how much capability that private groups have, and how they communicate and what kind of tools they are using." 

He suspects that we often automatically blame APT groups simply because the attack comes from China; but the perpetrator may well be an unknown private group. "Usually, APT groups (with the exception of North Korea) are not after money -- they're after intelligence or to steal intellectual property. I believe that in some cases there are Chinese threat actors that we simply aren't aware of." As in Russia, many of the Chinese threat actors will focus on targets outside of China so as not to draw the attention -- and ire -- of the local police.

But this doesn't mean there is no collusion at all between the criminal groups and the Chinese government. "I haven't found any evidence that private groups are sub-contracting for the government," he continued, "but I really believe that it is happening -- like in many other places around the world. Sometimes the government doesn't have all the capabilities it needs, so it uses sub-contractors who will deliver the skills provided the government allows them to continue their own operations outside of China. There are examples of known Chinese hackers that are now running their own security firms. Nobody turns from crime life to become whitehats for no reason and without any consequences. I really believe that there are all kinds of groups that enjoy government protection because they provide services to the government when it needs it. Give and take rules."

"The Asian dark web," concludes the IntSights research, "is relatively small compared to its counterparts in Western countries, such as the United States and Europe. However, this doesn't mean that it poses less of a threat. In fact, due to the laws and political motivations of these countries, the risk to non-Asian companies is significantly higher."

SecurityWeek:

You Might Also Read:

What Is the Dark Web? Can You Access It?

« AI Takes Hacking To Another Level
CyberStars Cyber Security Competition »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

CORDIS

CORDIS

CORDIS is the European Commission's primary public repository and portal to disseminate information on all EU-funded research projects and their results.

Talend

Talend

Talend is a leader in cloud and big data integration software. Applications include Risk and Compliance management.

CSR Privacy Solutions

CSR Privacy Solutions

CSR Privacy Solutions is a leading provider of privacy regulatory compliance programs for small and medium sized businesses.

Aqua Security Software

Aqua Security Software

Aqua Security helps enterprises secure their cloud native applications from development to production, whether they run using containers, serverless, or virtual machines.

CERT.LV

CERT.LV

CERT.LV is the national Computer Emergency Response Team for Latvia.

DeviceAssure

DeviceAssure

DeviceAssure enables organizations to reliably identify counterfeit and non-standard devices with a real-time check on a device's authenticity.

ISARR

ISARR

The ISARR software platform - your bespoke Risk, Resilience & Security Management solution. Simple, cost effective and adaptable, now and into the future.

Pixm

Pixm

Pixm’s computer vision based approach offers a truly unique and effective means to protect organizations from web-based phishing attacks.

Mitiga

Mitiga

Mitiga uniquily combines the top cybersecurity minds in Incident Readiness and Response with a cloud-based platform for cloud and hybrid environments.

Mosaic Insurance

Mosaic Insurance

Mosaic is a next-generation global specialty insurer distinguished by an exceptional team, agile technology, and a structure that combines Lloyd’s of London strength with a global distribution network

Matrixforce

Matrixforce

Matrixforce is a vetted IT support provider that uses the patented Delta Method of streamlining technology for financial and professional service firms to reduce complexity and avoid risk.

PhishFirewall

PhishFirewall

PhishFirewall is an advanced AI-driven CyberSecurity Awareness Education, Threat Emulation, and Human Security Analytics Platform.

Esprinet

Esprinet

The Esprinet Group is an enabler of the technology ecosystem: a team of people who promote access to technology through an extensive network of professional resellers.

Hawk AI

Hawk AI

Hawk AI’s mission is to help financial institutions detect financial crime more effectively and efficiently using AI to enhance rules and find anomalies.

Lakera

Lakera

Lakera empowers developers and organizations to build GenAI applications without worrying about AI security risks.

Alset Technologies

Alset Technologies

Alset Technologies provides DASH - a comprehensive solution to DISA STIG (Security Technical Implementation Guide) compliance.