An Inside Look at How The Asian Dark Internet Impacts Threat Hunters and CyberSecurity Teams
August 8th, 2018
The “Dark Web” is a growing buzzword in the world of cybersecurity and general technology. As it's grown in size and usage, various regions of the world have developed their own dark web communities and “codes of conduct” that can differ quite dramatically. One such region is Asia, whose underground Internet community has grown increasingly advanced and threatening to Western companies and governments. This has posed a number of new challenges for threat intelligence and cybersecurity teams who need to perform threat reconnaissance in these communities.
In this post, we share some of the key differences among major Asian Internet communities and what you need to know about their landscape.
Threat Reconnaissance Challenges in Asia
We often tend to associate hacking activities to Russian, North Korean or other English-speaking cyber groups. However, over the past few years, we’ve seen an increase in dark web and cyber activity across Asia. This new rise of the underground Asian Internet has presented companies and threat hunters across the globe with a number of new challenges.
- Fluency (Language & Culture): Finding cyber threat hunters who are fluent in the local language is a challenge alone. However, threat hunters also need to be intimately familiar with the dark web slang and rules of engagement of that region, so they can effectively blend in and perform reconnaissance.
- Governing Laws: Governments have developed different laws and attitudes towards their country's usage of the dark web and the Internet in general. This has created a number of interesting dynamics between Internet users and their governments. Knowing these laws is key to engaging in the communities to perform reconnaissance.
- Access: It can be incredibly difficult to gain access to the right secret forums and networks. Many hackers throughout Asia are not even using the dark web or openly-accessible anonymous networks. This leads to a number of additional challenges threat hunters must work around.
If you want to leverage these regions for threat intelligence, you need the right tools, expertise and access to navigate the differences between these various landscapes. Let's take a look at some of the Asian countries most active on the Internet.
The origin of the dark web scene in Japan can probably be traced back to late 2012 or the beginning of 2013. While many people consider illegal activity to be the primary use for the dark web, Japan perceives the dark web differently. Many Japanese users view it as an alternate universe where they can express themselves and have harmless discussions, just behind the mask of an anonymous avatar. It is not uncommon to see diaries and blogs on the Japanese dark web.
While the Japanese dark web can be completely innocent at times, there are still many illegal activities that take place. The Japanese dark web offers many different goods and services, but the two most common commodities are:
- Child pornography
While this is not vastly different from other dark webs, there are some key differences in how vendors sell and engage buyers for these goods. Quite a few Japanese drug dealers allow prospective buyers to sample their product and return it free-of-charge if they’re not satisfied (you’d be hard-pressed to find that type of service from other drug dealers, either online or in- person). They also tend to be much more respectful than their Western counterparts, which you can see based on the distinct differences in casual Japanese (which is used with family and friends) compared to the various levels of polite and formal Japanese (that is used with strangers and in business), which they opt for.
Image 1: This Japanese user is attempting to sell a credit card database. Since it is the first time a database of this sort is being sold on the board, they mention they would like to set the price in accordance with the buyers. This is an example of the polite Japanese mindset on Dark Web bulletin boards.
The Internet arrived in China in 1994. By the year 2000, there were about 22.5 million Internet users within China, which was only about 1.8% of this huge country’s population. By 2018, China’s Internet population reached more than 772 million users, with a penetration rate of 55.8%, exceeding the global average of 51.7%. Throughout these early years, Chinese hackers were very unsophisticated, but over the past 10 years, the hacker culture has evolved tremendously. Chinese hackers have become highly equipped, mature, advanced and well-experienced.
Unlike most other countries, China uses a government-controlled Internet network that allows the government to monitor and control all access, activity and users across this network, as well as blocking the access to some foreign webpages. This has created an interesting dynamic amongst Chinese Netizens (Internet Users) and makes it particularly difficult to conduct threat reconnaissance against Chinese hackers.
The relationship between the Chinese government and Chinese hackers is quite interesting. As long as the hackers are “helping” the Chinese government’s interest and agenda, they typically cooperate with one another. However, when a Chinese hacker’s interests do conflict with national interests, the government will do anything and everything to restrict, censor and even prosecute the hacker.
Chinese Dark Web Usage
While in other countries cyber criminals would usually turn to the deep and dark web in order to offer their services or products, the Chinese are more active on the clear net because the government limits access to the dark web. In addition, cybercriminals can reach a greater pool of buyers on the clear Chinese Internet and achieve higher profits. Obviously, this makes it more risky for the seller, so Chinese cyber criminals use special “jargon” or “code names” to avoid government censors and crackdowns. While there are tens of thousands of dark websites in Russian and English, the number of Chinese websites is rather small.
Chinese Black Market Goods & Services
The Chinese are known to have a wide variety of materials and services available across their clear and dark web. Here are some of the most common goods and terminology used across the Chinese Internet.
- Drugs / Narcotics
- Forged Documents (e.g. fake passports and IDs, fake diplomas, GPA changing services)
- Data For Sale (e.g. private info, company data, financial data)
- Cybersecurity Tools & Services (e.g. DDoS services, exploits, malwares, hacking tutorials)
- Other (e.g. child pornography, human organs)
Image 2: Pricing and packages for DDoS services
Chinese Cyber Nationalism
The Chinese have a strong sense of national pride, which is one of their noticeable differences when it comes to cyber activity. The Chinese Red Hacker groups believe that hostile activity against Chinese interests should be answered with an appropriate cyber response. It is a sense of nationalism that encourages them to attack back as a way of protecting their country.
This is one of the key differences between Chinese Internet users and other users across Asia.
The origin of dark web activity in South Korea is estimated to have begun in the mid-2000s. According to security researchers, the number of South Korean users that are active in the dark web is increasing every year. Most of the South Korean dark web sites are used for illegal activity. These sites are relatively small compared to the number of Internet users in the country, but activity has increased over the past few years. The most common South Korean dark websites are:
- Black markets: The leading products are narcotics and credit card information
- Child pornography
- Hidden wikis
- Hacking forums
Image 3: Popular South Korean black market (EurAsia)
It’s believed that the Indonesian dark web began in the late 2000s. In Indonesia, the dark web is not considered to be a “big issue” or critical hacking tool. In fact, most cyber criminals in Indonesia still prefer the surface web and mobile apps, since many common illegal services can be found in regular websites on the clear web.
Because gambling and casino games are illegal in Indonesia, gambling sites have become increasingly popular, which is one of the primary uses of the dark web in Indonesia. In addition, there are a few hundred dark web sites which offer date rape drugs (known as “Rohypnol”) and child pornography materials.
Image 4: Indonesian hacking forum and black market for malware and exploits
The Internet arrived to Vietnam in the early 2000s. At the beginning, it was primarily used by big companies, government offices and universities, and the government kept strict control over access and content for Vietnamese citizens. As a result, dark web activity started in the late 2000s, where users primarily visited Western dark web sites. Most of the Vietnamese dark web sites are black markets, with the most popular and dominant language being English. The reason for this is that Vietnamese vendors want to reach as many customers as possible and avoid the Vietnamese government and law enforcement agencies.
In June 2017, the Vietnamese government created the Cybersecurity Bill. The goal of this legislation is to allow the government to continue censoring the Internet in Vietnam. This new bill forced many Vietnamese threat actors and black market vendors to the dark web so they could continue with their activities.
The Asian dark web is relatively small compared to its counterparts in Western countries, such as the United States and Europe. However, this doesn’t mean that it poses less of a threat. In fact, due to the laws and political motivations of these countries, the risk to non-Asian companies is significantly higher.
As a threat hunter and cybersecurity professional, it’s important to know the political and cultural dynamics behind each of these country’s dark web landscapes to understand the motivations and tactics of your adversaries. Knowing their jargon, culture and litigation will help you more effectively conduct threat reconnaissance and protect your organization.
This is just the tip of the iceberg when it comes to the Asian Internet community. To read further, download our Dark Side of Asia Research Report.
Hadar is a Threat Intelligence Research Analyst at IntSights, focused on the Asian Dark Web with an emphasis on the Chinese Dark Web. She lived in China for 5 years and speaks fluent Chinese. Hadar researches criminal activity across the Asian Dark Web to uncover key intelligence from unique sources. She believes the Asian cyber ecosystem is still mostly unknown and finds it very interesting to explore this secret underworld.
Stay up to Date!
Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.