Feeds

Seoul-blackening disk wipe badness linked to 4-year SPY CAMPAIGN

Can Norks afford malware writers?

Intelligent flash storage arrays

The March attack that hit tens of thousands of computers in South Korea was part of a much larger campaign waged against the Asian nation since at least 2009. That's according to a new report by security biz McAfee.

About 30,000 PCs in banks, insurance companies and TV stations were knackered a few months ago on 20 March in an assault dubbed the Dark Seoul Incident.

South Koreans from Busan to Namyangju couldn't draw money or transfer cash as they were shut out of their online banking accounts and entire networks of cash machines in the country fell over.

The McAfee report avoids leaping to the obvious conclusion that the attacks may be sponsored by North Korea. McAfee's EMEA CTO, Raj Samani, said the firm didn't want to second-guess a South Korean government investigation into the attacks.

What actually happened on 20 March

Spear-phishing emails - precisely targeted messages booby-trapped with attack code - were sent in the preceding three months and were used to open back doors on the PCs. The compromised Windows machines were then told to download and run the data-wiping malware on 20 March.

The software nasties unleashed on computers on the day wiped their master boot records, which are needed to successfully start up the machines.

The attack shouldn't have been particularly damaging beyond being an absolute pain in the neck for IT workers to fix, which is why no one linked the affair to an attempt to snaffle data rather than merely to wipe it.

Beware of Norks snoops bearing gifts

However, security bods at McAfee theorise that malware used in the attack emerged from a hidden years-long campaign. The security firm has dubbed it "Operation Troy" after repeated citations of the ancient city were found in file path strings present in malware associated with the attacks.

The report (PDF) stated:

McAfee Labs can connect the Dark Seoul and other government attacks to a secret, long-term campaign that reveals the true intention of the Dark Seoul adversaries: attempting to spy on and disrupt South Korea’s military and government activities.

McAfee researchers who analysed the malware deployed for Dark Seoul said it shared some of the code in the NSTAR Trojan and other nasties linked to attacks launched against South Korea some three years ago, as McAfee explains:

The history of Operation Troy starts in 2010, with the appearance of the NSTAR Trojan. Since the appearance of NSTAR, seven known variants have been identified. Our investigation into Dark Seoul has found a long-term domestic spying operation underway since at least 2009. The operation, all based on the same code, has attempted to infiltrate specific South Korean targets.

The Operation Troy control process historically involved routing operating commands through concealed Internet Relay Chat (IRC) servers, the researchers said. The first three Troy variants were managed through a South Korean manufacturing website in which the attackers installed an IRC server. This all changed just before the Dark Seoul incident.

The "Concealment" Troy variant, which appeared earlier this year, broke with this dependance on a hardcoded IRC control server control network and moved to running command and control through a more sophisticated (but harder to manage) botnet-based system.

Timeline of the development of Dark Seoul's malware

The Troy-era malware is based on the same source code used to create these specialized variants and shares many commonalities, such as bs.dll and payload.dll, which are found consistently throughout the families. The attackers have attempted since 2009 to install the capability to destroy their targets using an MBR wiper component, as seen in the Dark Seoul incident.

Raj Samani, EMEA CTO at McAfee, told El Reg that behind "noisy" DDoS attacks against South Korean targets, a far more insidious espionage campaign is taking place. "The attacks involve destruction, disruption and espionage," said Samani, adding that the espionage campaign had featured military-themed keywords such as brigade. ®

Internet Security Threat Report 2014

More from The Register

next story
The 'fun-nification' of computer education – good idea?
Compulsory code schools, luvvies love it, but what about Maths and Physics?
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Lords take revenge on REVENGE PORN publishers
Jilted Johns and Jennies with busy fingers face two years inside
Yes, yes, Steve Jobs. Look what I'VE done for you lately – Tim Cook
New iPhone biz baron points to Apple's (his) greatest successes
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.