Nation-State

As part of our counter intelligence work, we have been monitoring the internet communications of
a range of countries across the globe.

We recently detected some suspicious traffic hitting one of our honeypot servers (purposely set up
to draw in attacks).

We have intel to suggest that certain nation states are utilising bots and other automated methods
to scan resources across the internet in an attempt to retrieve files that have inadvertendly been
left open to the world on web servers. This is just one of the approaches that we believe forms a
part of a more comprehensive set of offensive cyber capabilities.

It looks like somebody has been looking for something quite specific in this case.

I've attached a text file which represents a section of the log data for this honeypot server, I'm
wondering whether you could tell us which country is responsible for the traffic and which country
is the likely target?

Attempts are capped at 7, so refrain from completely guessing!

Expected flag format: sourceCountry(Space)targetCountry

The relevant log file can be found in assets.

One of the URL endpoints being reached out to is /staff/%u0412%u043B%u0430%u0434%u0438%u043C%u0438%u0440%20%u041F%u0443%u0442%u0438%u043D. Running this through a Unicode decoder gives us Владимир Путин, which is the Russian name for Vladimir Putin. This means that the target country is likely Russia.

Other endpoints being hit include /documents/international-domination-strategy.txt and /documents/new-world-order.pdf. The requesting IPs are 175.45.176.180 and 175.45.176.212, which both belong to North Korea, which is the source country.

Answer northKorea russia


Tags

  1. cyber crime (Private)
  2. 600 points (Private)