Connect with us

Hi, what are you looking for?



Attacks on European Firms Suggest Return of “Dark Seoul” Group

The tools and techniques used by malicious actors in attacks targeting European companies indicate that the group known for wreaking havoc in South Korea in 2013 might have returned.

The tools and techniques used by malicious actors in attacks targeting European companies indicate that the group known for wreaking havoc in South Korea in 2013 might have returned.

A series of attacks were launched in 2013 against various organizations in South Korea, including broadcasters, financial companies, and government agencies. Experts determined at the time that the cyber espionage campaign, dubbed Dark Seoul and Operation Troy, dated back to at least 2009. The pieces of malware used by the attackers had been designed not only to steal sensitive information, but also to destroy the master boot record (MBR) of infected machines.

South Korean officials blamed North Korea for the attacks, but Pyongyang denied any involvement.

In a July 2013 report detailing the attacks, McAfee noted that one of the pieces of malware used in Operation Troy was “TDrop,” a threat that disguised itself as a security product to avoid detection.

After two years in which no other Dark Seoul attacks were reported, Palo Alto Networks identified malicious code samples with behavior similar to the pieces of malware used in the 2013 campaign. The attacks spotted by the security firm, dating back to June 2015, had been targeted at the transportation and logistics sector in Europe.

Experts believe the attacks started with a spear-phishing email designed to deliver a piece of malware bundled with an installer for security camera video playback software offered by an industrial control systems (ICS) organization.

An analysis of the Trojan’s behavior and binary code revealed similarities to the tools used in the 2013 DarkSeoul attacks. While there isn’t sufficient evidence to confirm it, the reemergence of the tools suggests that the group behind the attacks on South Korea is back, Palo Alto Networks said.

The new piece of malware discovered by researchers, dubbed by Palo Alto “TDrop2,” appears to be a successor of “TDrop.” The initial commands sent to the malware are designed for basic reconnaissance of the infected host.

Advertisement. Scroll to continue reading.

The list of similarities between the new and the old malware includes a distinct string encryption routine and network communications.

In the recent attacks, the threat group used compromised South Korean and European websites as command and control (C&C) servers. Researchers say it’s unclear how these websites got hacked, but they all use shared hosting and they run out-of-date software that could be plagued by serious vulnerabilities.

There are some significant differences between the recent and the 2013 attacks, including the the targets, which this time are not in South Korea, and the fact that the malware has not exhibited any destructive functionality, although experts have pointed out that TDrop2 is capable of downloading additional components.

Palo Alto Networks believes the differences are outweighed by the similarities, and the company believes it’s highly likely that we’re witnessing a reemergence of the Dark Seoul attackers.

“It is not uncommon for threat actors to become dormant for some period of time, especially after public unveiling as the groups behind Dark Seoul/Operation Troy experienced. What we do know is that changing infrastructure and toolsets can be challenging, and it is not nearly as common that a very specialized tool developed for specific teams would be shared amongst threat actors,” Palo Alto Networks said in a blog post.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet