Feeds

Seoul-blackening disk wipe badness linked to 4-year SPY CAMPAIGN

Can Norks afford malware writers?

The essential guide to IT transformation

The March attack that hit tens of thousands of computers in South Korea was part of a much larger campaign waged against the Asian nation since at least 2009. That's according to a new report by security biz McAfee.

About 30,000 PCs in banks, insurance companies and TV stations were knackered a few months ago on 20 March in an assault dubbed the Dark Seoul Incident.

South Koreans from Busan to Namyangju couldn't draw money or transfer cash as they were shut out of their online banking accounts and entire networks of cash machines in the country fell over.

The McAfee report avoids leaping to the obvious conclusion that the attacks may be sponsored by North Korea. McAfee's EMEA CTO, Raj Samani, said the firm didn't want to second-guess a South Korean government investigation into the attacks.

What actually happened on 20 March

Spear-phishing emails - precisely targeted messages booby-trapped with attack code - were sent in the preceding three months and were used to open back doors on the PCs. The compromised Windows machines were then told to download and run the data-wiping malware on 20 March.

The software nasties unleashed on computers on the day wiped their master boot records, which are needed to successfully start up the machines.

The attack shouldn't have been particularly damaging beyond being an absolute pain in the neck for IT workers to fix, which is why no one linked the affair to an attempt to snaffle data rather than merely to wipe it.

Beware of Norks snoops bearing gifts

However, security bods at McAfee theorise that malware used in the attack emerged from a hidden years-long campaign. The security firm has dubbed it "Operation Troy" after repeated citations of the ancient city were found in file path strings present in malware associated with the attacks.

The report (PDF) stated:

McAfee Labs can connect the Dark Seoul and other government attacks to a secret, long-term campaign that reveals the true intention of the Dark Seoul adversaries: attempting to spy on and disrupt South Korea’s military and government activities.

McAfee researchers who analysed the malware deployed for Dark Seoul said it shared some of the code in the NSTAR Trojan and other nasties linked to attacks launched against South Korea some three years ago, as McAfee explains:

The history of Operation Troy starts in 2010, with the appearance of the NSTAR Trojan. Since the appearance of NSTAR, seven known variants have been identified. Our investigation into Dark Seoul has found a long-term domestic spying operation underway since at least 2009. The operation, all based on the same code, has attempted to infiltrate specific South Korean targets.

The Operation Troy control process historically involved routing operating commands through concealed Internet Relay Chat (IRC) servers, the researchers said. The first three Troy variants were managed through a South Korean manufacturing website in which the attackers installed an IRC server. This all changed just before the Dark Seoul incident.

The "Concealment" Troy variant, which appeared earlier this year, broke with this dependance on a hardcoded IRC control server control network and moved to running command and control through a more sophisticated (but harder to manage) botnet-based system.

Timeline of the development of Dark Seoul's malware

The Troy-era malware is based on the same source code used to create these specialized variants and shares many commonalities, such as bs.dll and payload.dll, which are found consistently throughout the families. The attackers have attempted since 2009 to install the capability to destroy their targets using an MBR wiper component, as seen in the Dark Seoul incident.

Raj Samani, EMEA CTO at McAfee, told El Reg that behind "noisy" DDoS attacks against South Korean targets, a far more insidious espionage campaign is taking place. "The attacks involve destruction, disruption and espionage," said Samani, adding that the espionage campaign had featured military-themed keywords such as brigade. ®

Build a business case: developing custom apps

More from The Register

next story
Hello, police, El Reg here. Are we a bunch of terrorists now?
Do Brits risk arrest for watching beheading video nasty? We asked the fuzz
Munich considers dumping Linux for ... GULP ... Windows!
Give a penguinista a hug, the Outlook's not good for open source's poster child
Detroit losing MILLIONS because it buys CHEAP BATTERIES – report
Man at hardware store was right: name brands DO last longer
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
UK government accused of hiding TRUTH about Universal Credit fiasco
'Reset rating keeps secrets on one-dole-to-rule-them-all plan', say MPs
Caught red-handed: UK cops, PCSOs, specials behaving badly… on social media
No Mr Fuzz, don't ask a crime victim to be your pal on Facebook
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Yes, but what are your plans if a DRAGON attacks?
Local UK gov outs most ridiculous FoI requests...
EU justice chief blasts Google on 'right to be forgotten'
Don't pretend it's a freedom of speech issue – interim commish
This'll end well: US govt says car-to-car jibber-jabber will SAVE lives
Department of Transportation starts cogs turning for another wireless comms standard
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.