Executive Summary

According to the Incident Report released by KLAYswap, the first case of using the KLAYswap UI to transfer tokens into an attacker’s wallet took place on February 3, 2022.

KLAYswap posited that a malicious code download disguised as a Kakao SDK file by an external network attack was the cause of the accident.

KLAYswap and KakaoTalk-related services dynamically load and use Kakao SDK (Software Development Kit) for marketing purposes. During this particular attack, there was a problem that the connection was not possible or slowed down in the service using the same SDK.

  • Kakao SDK download path: https://developers[.]kakao.com/sdk/js/kakao.min.js

After analyzing this attack, the S2W TALON team observed that the BGP hijacking technique was used for the aforementioned external network attack. By manipulating the network flow through BGP Hijacking, the attacker configured users connected to KLAYswap to download malicious code from the attacker’s server rather than the normal SDK file.

It is known that the malicious code was distributed only to users who accessed the server through KLAYswap by checking the Referer value of the HTTP header when connecting, while a server-side error was returned to other users. For this reason, it is understood that access to other services using the SDK was disrupted.

Due to this attack, if a KLAYswap user requested a deposit, swap, withdrawal, etc. of assets in the 1.5 hour period beginning from 11:30 on February 3rd, assets were immediately transferred to the attacker. Analysis of the blockchain transactions indicates that while the stolen coins totaled in a value of about 2.2 billion won, the actual attacker stole coins with a value of about 1 billion won.

S2W intends to inform the danger of the attack by describing the relatively unfamiliar attack of BGP Hijacking as well as the detailed attack process to share what kind of actual damage can be caused by this attack.

All times mentioned in the analysis results below are based on Korea Standard Time (UTC+9).

Full Timeline

BGP Hijacking

The Internet is a global network where hosts around the world can exchange data anytime, anywhere based on their unique IP addresses. Hosts with different IP addresses can communicate with each other by a router, and the router manages the shortest travel distance and informs each other of the IP bands it manages. AS (Autonomous System) manages these IP bands as prefixes and supplies the router with an up-to-date routing table on a regular basis.

BGP Hijacking is to spread a routing table deliberately set by an attacker to neighboring ASs by abusing the BGP protocol that shares routing tables between ASs. Because the BGP protocol does not consider reliability and instead follows only the fastest route (actually based on cost), the attacker analyzes the target’s routing path and then changes the network flow to the desired path to attack the AS in the middle. By setting the routing policy according to the attacker’s intention, actions such as network paralysis and data interception are possible.

Normal network flow (Left) / Network flow during BGP hijacking attack (Right)

From the attack target’s point of view of the attack target, since the flow of the network is unilaterally changed without any issue between the server and the service, it encounters a situation in which no traffic is generated without a clear cause. The scope of this attack goes beyond the response range of general companies that cannot intervene in AS operations.

KLAYswap attacked by BGP Hijacking Technique

1. Overview of BGP analysis at the time of the incident

Main timeline: February 03, 2022 10:04 ~ 18:01

Timeline of the day of the incident
  • First BGP Hijacking Attempt Confirmed(211.249.216.0/21): 10:04
  • Additional BGP Hijacking Attempts Confirmed(121.53.104.0/23): 11:09
  • Service Disruption on Kakao SDK related services: 11:30
  • First execution of the transaction to transfer to attacker wallet: 11:31
  • BGP Hijacking Attack withdrawn(Presumption): 13:04
  • Update to normal routing path due to withdrawal: 13:28
  • Kakao SDK related services restored: 13:30
  • Abnormal transaction last executed: 18:01

1.1 Detailed analysis

The domain that distributes the Kakao SDK file (developers.kakao.com) has been resolving with two IPs since June 26, 2020, at the time of the accident and until now. Both IPs are managed by a server hosting company called Dreamline, and Kakao is a real user that is leased from Dreamline.

The related network infrastructure information is summarized below.

developers.kakao.com domain infrastructure

We used RIS Raw Data provided by RIPE NCC, which supports technical and administrative cooperation of Internet infrastructure, to analyze all BGP update information collected around the world during the period of the incident (9 am to 5 pm on February 3rd). Analyzing this, the route introduction for 121.53.104.0/24, 121.53.0.0/17, 121.53.0.0/16, 211.249.221.0/24, 211.249.128.0/17 and 211.249.0.0/16 originating from AS9457 started at 10:04. It was confirmed that it lasted until 14:37.

The BGP hijacking attack targeting KLAYswap started around 10:04 on February 3, 2022. In order to increase the priority of 211.249.216.0/21, the attacker first used 211.249.221.0/24 with a larger IP prefix and performed an attack to pass through AS9457. After that, the attack on the other band also started from 11:09, and 121.53.104.0/24 was used for 121.53.104.0/23. At 11:30, about 20 minutes after the attacks, the first transaction in which the KLAYswap token was transferred to the attacker’s specific wallet executed, and assets began to be stolen in full-force from this point on.

Considering that all of the contaminated BGP routing paths updated by the attacker originated from AS9457, it seems that the AS operated by the Dreamline company was manipulated by the attacker to be used for the attack.

Normal routing table
Contaminated routing table after BGP hijacking attack

The two figures below show the normal BGP path for each band and the BGP path contaminated by the BGP hijacking attack. When the attack is taking place, a requester will be connected to the attacker’s server because the manipulated path will be taken instead of the normal path.

Normal BGP route of 211.249.216.0/21 and manipulated route after contamination
Normal BGP route of 121.53.104.0/23 and manipulated route after contamination

The attack on both bands lasted a total of three hours until 13:04. For unknown reasons, the attacker stopped the attack on the 121.53.104.0/23 band, and from 13:28 the routing table started to be updated back to the original routing path before the attack. However, for the other contaminated band, 211.249.221.0/24, the update to the original routing path was not made until at least 5 pm, and it is estimated that the contamination was maintained which caused abnormal transactions until 18:01.

2. SSL Certificate

Since the Kakao SDK file download path is connected with the HTTPS protocol, even if a BGP hijacking attack is performed, a response cannot be given because the certificate does not match. For this purpose, just before the attack, the attacker issued and registered a free temporary 3-month certificate for the developers[.]kakao.com domain through SSL certificate issuer called ZeroSSL. Because the routing policy was already manipulated by the BGP Hijacking, the attacker was able to register the certificate.

Normal certificate information
Certificate information issued by the attacker

For the certificate issued by the attacker, the precertificate was added to the log at 11:27:57, and the leaf certificate for the above domain was issued and activated after 1 second.

Logs related to the certificate registered by the attacker

ZeroSSL provides a service that maintains SSL certificates for 3 months for free as follows.

Services provided by ZeroSSL

3. Malicious JS file analysis (kakao.min.js)

The malicious kakao.min.js file used in the attack has a very large file size compared to the normal kakao.min.js file. After analysis, the malicious kakao.min.js file was identified as a webpack file that integrates various modules used in web applications. It has been confirmed that the attackers used them after modification. It was confirmed that the attacker partially modified and used the code related to the existing normal SDK actually used by KLAYswap.

Comparison of normal kakao.min.js file and malicious kakao.min.js file
Malicious kakao.min.js file structure (webpack)

At the end of the malicious kakao.min.js file, the attacker’s Account for theft and Factory Contract for theft addresses were specified. Due to this, the assets of the victims who downloaded the malicious file were transferred to the attacker instead of the intended address when using KLAYswap.

Addresses of the attacker in malicious kakao.min.js file
Description by attacker address

Modified functions related to transmission in malicious kakao.min.js are as follows, used in transmitting assets to the attacker’s Account and Factory Contract.

Modified function list
Normal app.js source (Left) / Malicious kakao.min.js source (Right)
Normal app.js source (Left) / Malicious kakao.min.js source (Right)

In addition to changing the Account and Factory Contract address, the attacker also manipulated the Klayton API address. It is presumed to be used to bypass detection and perform other processing

Normal API server address and malicious API server
Normal app.js source (Left) / Malicious kakao.min.js source (Right)

As a result of querying the API address set by the attacker, it was confirmed that it was bound to the IP address of a VPS server located in Korea. The registration and certificate information of the domain are as follows, and it can be seen that the domain was registered on 2022–01–06, a month before the attack. For the certificate, the attacker issued one through Let’s Encrypt that issues SSL certificates for free.

Malicious API server domain information
About the certificate linked to the domain

4. Cryptocurrency transaction analysis

4.1 Stealing victim user’s token

Due to the malicious kakao.min.js file, on February 3, 2022, beginning at 11:31:41, on KLAYswap 82005544 Block, Klaytn-based tokens were transferred to the Account for theft (0xdfcb) for about 6 hours and 30 minutes after the first transaction. The tokens were continuously transferred to the attacker until 18:01:07. The official estimated period of damage confirmed by KLAYswap so far is 82005468 ~ 82028787.

Victim’s assets are transferred to the Account (0xdfcb) for theft through the attacker’s Factory Contract (0x3f31) for theft

4.2 Preliminary Preparation for KLAYswap Hacking by Attacker

Main timeline : June 29, 2021 08:31 ~ February 03, 2022 11:31

Pre-Preparation Timeline

The Factory Contract (0x3f31) for theft specified in the malicious kakao.min.js was created by the attacker’s Account (0x648c) at 02:49:35 on January 7, 2022, about a month ago.

Factory Contract for theft (0x3f31) creation transaction

In KLAYswap, when a user performs a function such as a token swap, it is necessary for the Factory Contract to obtain permission for use from the token contract. If the request is approved, the factory contract is given permission to use the token. For this reason, as shown below, the asset leakage caused by the malicious file first requested approval to the Factory contract for theft (0x3f31), and after that, it was successfully approved by the token contract and forcibly transferred to the Account for theft (0xdfcb)

  • (February 3, 2022 11:30:24) Transaction authorization transaction occurred in Factory Contract for theft (0x3f31). (82005468 Block)
  • (February 3, 2022 11:31:41) Transaction approved and forcibly transferred to the Account for theft (0xdfcb) (82005544 Block)
First transaction

As such, the Factory Contract for theft (0x3f31) was used to approve transactions to steal tokens from victims from 11:30:24 on February 03, 2022, when the attack occurred, and the stolen tokens were transferred to the Account for theft (0xdfcb).

First executed transaction in Account for theft (0xdfcb)

The attacker’s Account (0x648c), which created the Factory Contract for theft (0x3f31), made test transactions about 7 months ago, from 08:31:29 on June 29, 2021, to 02:49:35 on January 7, 2022. A large number of transactions were performed, and about a month before the actual attack at 08:49:07 on January 5, 2022, a Test Factory Contract (0xc72c) was created. After that, 40 Klay were transferred from the Attacker’s account (0x648c) to the Test Victim Account (0x13cf) for testing. Then, the attacker continued to transact these funds with the Test Factory Contract (0xc72c) to test some transactions.

List of addresses used in the preparation

The addresses used in the preparation

Therefore, by looking at the transaction history of the attacker’s Account (0x648c) used for preliminary preparation, preparations for hacking began at least 7 months in advance, and on January 5, 2022, one month before the actual attack, the last test for the attack presumed to have been completed.

4.3 Analysis of withdrawal of stolen assets

After the attack occurred, the attacker did not perform the transfer of funds until 12:42:14 on February 3, 2022, and first swapped part of the stolen funds through the KLAYswap at 12:42:17 on February 3, 2022.

Main timeline : Feb 03, 2022 11:31 ~ Feb 06, 2022 10:44

Withdrawal and swap timeline

Afterwards, the attacker additionally swapped to KLAY-based tokens (KETH, KUSDT, KXRP, etc.), and finally confirmed that it was transferred to the FixedFloat* cryptocurrency exchange into coins such as Tether, Dai Stablecoin, and USD coin. It was impossible to confirm which swap occurred afterwards at the exchange.

*FixedFloat is a instant, fully automatic exchange that supports swap of various DeFi coins, ZCash and Monero.

Withdrawal and swap process

The amount of damage of 2.2 billion won announced by KLAYswap is estimated to be the sum of the amounts transferred from each coin and token. When all these amounts are added together, it is $1,910,172.95, which is equivalent to about 2.28 billion won at the exchange rate of February 10, 2022.

  • Total value (Dollar) : $1,910,172.95
  • Total value (Won) : 2,284,566,848.20 won
List of Klay-based Tokens swapped by the attacker (using S2W blockchain analysis solution “eyez”)

The full list and quantity of tokens that an attacker tried to swap through the Orbit service are as follows. The quantity marked in red is estimated to be the attacker’s swap attempts that were canceled due to Orbit’s response. The total value of the tokens the attacker tried to swap is $1,396,861.24, and excluding the transactions rejected by Orbit, amounts to a value of $900,137.85. There is a difference of about 600 million won between the calculated actual value and Klaytn’s announcement, and it is estimated that it is because the amount of the Klay coin swapped with other tokens was added as a duplicate.

The estimated amount of damage and the amount actually held by the attacker
The value of each token swapped by the attacker (except Klay, swaps marked in red are rejected)
  • Total value (Dollar): $1,396,861.24
  • Total value (Won): 1,670,646,043.04 won
  • The value of the amount successfully swapped (Dollar): $900,137.85
  • The value of the amount successfully swapped (Won): 1,076,564,868.60 won

Tokens converted to KUSDT, KUSDC, KETH, KDAI, KXRP, and KBNB were exchanged for Tether, Dai Stablecoin, USD Coin, BSC, XRP, and ETH coins through the attacker-owned addresses and transferred to the FixedFloat exchange. The value of all coins transferred to the exchange is $898,886.2, and there is a difference of $1251,65 resulting from fees.

Value per coin finally transferred to FixedFloat exchange

4.4 Suspicious transaction in attacker’s XRP wallet

A transaction unrelated to this hacking was found in the attacker’s XRP wallet in the process of swapping the stolen tokens to KXRP and XRP, transferring them to the FixedFloat exchange. This transaction occurred about 15 hours after the swap of the stolen token, and after receiving XRP of 76,910.92 in two transactions through Singapore-based cryptocurrency exchange ByBit, it was transferred to the FixedFloat exchange like other transactions.

Suspicious transaction flow

4.5 Full list of addresses of attackers involved in the hacking

All list of addresses

5. DARKODE-related threat groups and forums

DARKODE keyword mentioned in malicious kakao.min.js

As a result of researching the threat group related to the keyword “DARKODE” mentioned in the malicious kakao.min.js file, a forum that used to operate under the name of DARKODE in the deep web was found rather than a threat group. However, their connection with this attack has not been confirmed.

5.1 About DARKODE Forum

The Dark0de underground forum, known as DARKODE in the past, operated in the form of a deep web from 2007 to 2015, where only members who signed up for the darkode[.]com domain could perform activities. Hacking services, botnets, malware, personal information, credit cards, credentials, and drugs were mainly sold on the forum.

DARKODE forum MARKET(LEVEL 2) bulletin board (Left) / Offline PoS sales post (Right)

According to the FBI’s official press release in July 2015, the domain of the Dark0de underground forum was seized by the FBI and EUROPOL, and it was revealed that they had ceased their activities.

Website at the time of seizure

However, six years later, in January 2021, an article was uploaded on Dread, a dark web forum, and Reddit, a general community, asking for vendors to sell products to the Dark0de Reborn market. From this point on, it was confirmed that Dark0de was restarted in earnest, and it was not confirmed whether it was the operator who operated the previous forum or a new operator.

Posts in Dread (Left) / Posts in Reddit (Right)
Revamped DARKODE Cyber Crime Market Main Page

5.2 Keyword search results in DARKODE forum

As a result of searching the DARKODE forum for keywords related to the BGP hijacking attack targeted for this attack, no sales posts or suspicious activity directly related to the issue were found.

  • 0 results for BGP search
  • 0 results for klay search
  • 1 results for kakao search (the search results were not related to this issue.)
  • 10 results for korea search (the search results were not related to this issue.)
  • 4 results for dreamline search (the search results were not related to this issue.)
  • 0 results for Zerossl search (the search results were not related to this issue.)
No results found

6. BGP Hijacking Attack Cases

Mining Pool Server Hijacking (2014.08)

It was confirmed that an attacker had been continuously attempting attacks since February 3, 2014, and a total of 51 networks were compromised from 19 ISPs including Amazon and Digital Ocean. The attacker redirected the mining pools of normal crypto miners to their own mining pools to extort the rewards, and it is estimated that they obtained about $83,000 over a period of over 4 months. The following shows the attack process of mining pool hijacking at the time.

Mining pool hijacking attack process (Source: Secureworks)
1. The attacker advertises his router route information to the ISP through BGP Hijacking
2. Miners try to connect to a normal mining pool
3. Connect to attacker’s mining pool, not miner's mining pool due to BGP hijacking
4. The miners mine the cryptos, but do not get any rewards

MyEtherWallet Hacking Incident (2018.04)

On April 25, 2018, from 11:00 to 13:00 (UTC), MyEtherWallet, a wallet that stores Ethereum, was hacked. After creating a site identical to myetherwallet.com, the attacker performed BGP hijacking against eNET, an ISP company, to redirect traffic of Amazon’s Route53 DNS web service used by MyEtherWallet to another DNS service in Chicago. It redirected users to the phishing sites they created.

As a result, when users logged in to a phishing site created by the attacker, their account information was transmitted to the attacker’s server, allowing the attacker to steal about $150,000 worth of Ethereum by using the collected login information. The following shows the attack process against MyEtherWallet.

MyEtherWallet attack process (Source: Cloudflare)
1. MyEtherWallet users access myetherwallet.com
2. The attacker made an announcement to the ISP eNET (AS10297) and redirected the traffic from Amazon (AS16509) to a fake DNS server in Chicago.
3. Link MyEtherWallet related DNS to a phishing site from a fake DNS server
4. MyEtherWallet users enter account information from a phishing site, and attackers use this information to steal Ethereum

Cases in South Korea

The KLAYswap hacking issue is the only known attack case related to BGP hijacking in Korea. However, a related incident was the KT failure accident that occurred in October 2021. In this incident, the exit command was not processed in the process of finishing the KT internal network path configuration protocol (IS-IS) in the routing setup command process. Due to this, the data that should have been processed with the BGP protocol was processed with the IS-IS protocol, causing an error.

Mitigation

1. Monitoring

  • Among fellow peers, receive an announcement of an IP prefix that does not fit the band of the frequently used IP prefix and check if there is any delay or abnormality in the network
  • Periodically monitor for sudden significant drops in traffic in both directions or in response packets, or cases of erroneous redirections.

2. IP Prefix Filtering

  • Use IP Prefix Filtering to prevent illegal route creation
  • Prevent announcement for new route creation by creating a whitelist that allows only specific IP prefixes

3. RPKI

  • RPKI (Resource Public Key Infrastructure) is a technology that uses Internet address resources such as AS Number and IP Prefix to issue a certificate that guarantees the integrity of the routing information based on the PKI standard.
  • The RPKI supports two methods: The delegation method in which each address management authority builds each certificate server (CA) to manage resources. The hosted method, in which the RPKI system is established by the regional Internet address management organization (RIR) and the subordinate Internet address management organization to which it belongs, accesses the system.
Internet address resource allocation and RPKI support method (Source: Korea Internet & Security Agency)
  • As such, the introduction of the RPKI system is different for each Internet address management organization, so it is necessary to inquire with the upper management organization or RIR in advance about how the system is operated.
  • Detecting an abnormal path through RPKI proceeds as follows.
RPKI system operation process (Source: Korea Internet & Security Agency)
1. AS3357 maliciously announces the same IP prefix as the IP address of AS4745
2. Route to AS3357 because the path to AS3357 is shorter than the path to AS4745
3. When AS9695 activates RPKI, it compares the ROA information received from the RPKI server and the ROV, which is the result of the BGP information, to detect and block abnormal paths.
  • The introduction of RPKI is expected to detect and block abnormal routes in advance by verifying through the RPKI system whether the announcement for the BGP peer is reliable.
  • Cloudflare implemented RPKI in a hosted way, and there is a case of developing and implementing two tools, a validator called OctoRPKI and a local cache function called goRTR.

Conclusion

Many countries are already well aware of the risk of an attack called BGP Hijacking using the weakness of the BGP protocol and are well prepared for it, but Korea is not yet prepared for such an attack. In particular, it is not easy to prepare and respond to because the network path change is caused by the exploitation of an AS, which is not easy to consider even for an organization that is well-invested in security.

Only about 33.85% of IPv4 routes worldwide are signed with RPKI (Source: NIST RPKI Monitor)
Top 25 RPKI-applied AS list of APNIC to which Korea belongs

However, large-scale attacks such as this attack on the KLAYswap have actually occurred, and this fact is known to attackers around the world, and there is a high possibility that it will be repeated by the same attacker or another attacker in the future. Therefore, general companies, ISPs, and server hosting companies need to recognize the risk of this incident and collaborate to prevent a recurrence.

References

--

--

S2W
S2W BLOG

S2W is specializing in cybersecurity data analysis for cyber threat intelligence.