Connect with us

Hi, what are you looking for?


Malware & Threats

Data Wiping Attacks in South Korea Were Culmination of Multi-Year Espionage Campaign

South Korea Cyber Attack Was Part of Long campaign Dating Back to at Least 2009 and Conclusion of a Covert Espionage Campaign

South Korea Cyber Attack Was Part of Long campaign Dating Back to at Least 2009 and Conclusion of a Covert Espionage Campaign

The attacks that wiped data from tens of thousands of computers at South Korean TV networks and financial institutions earlier this year were part of a larger cyber-espionage campaign that spanned at least four years, McAfee researchers said today.

The malware was designed to find and upload information referring to the U.S. military presence in South Korea, joint exercises, and certain keywords such as “secret” or “confidential,” Brian Kenyon, Vice President and CTO of Security Connected at McAfee, told SecurityWeek. Researchers discovered that the malware used during the “Dark Seoul Incident” on March 20 had many characteristics in common with a keyword-searching malware dating back to 2009, Kenyon said.

South Korea Operation Troy

In the Dark Seoul attacks, the malware wasn’t collecting information, but was erasing hard drives and destroying the master boot records on 30,000 machines. “The incident was more than cybervandalism,” McAfee said in the report. “The attacks on South Korean targets were actually the conclusion of a covert espionage campaign.”

Researchers discovered that data wiping malware and the original keyword-searching malware appear to have been compiled using the same directory structure, used the same cryptographic key, and was created with the same compiler, Kenyon said. It appears there may have been versions as old as from 2007 or 2008, as well.

McAfee did not go as far to point fingers at any country that may be responsible in its report, but said the attacks were part of an attempt” to spy on and disrupt South Korea’s military and government.” South Korea has accused North Korea in the past for targeting its networks.

However, Kenyon said the clues indicate that the campaign was the work of a single group.

McAfee also did not have a list of targets that may have been hit by this espionage campaign over the years. The researchers have several samples of the malware that was used, and was able to infer that the targets must have military-related information based on the type of keywords the malware was searching for, Kenyon said. The code was custom-built for the campaign and doesn’t appear to have elements from other malware families or toolkits, he said.

Advertisement. Scroll to continue reading.

The malware, once it infected a machine, automatically searched for dozens of military terms in Korean, including “U.S. Army,” “secret,” “Joint Chiefs of Staff” and “Operation Key Resolve,” an annual military exercise held by U.S. Forces Korea and the South Korean military. It then transferred the data over encrypted channels to an IRC channel.

It’s anyone’s guess where the data went or who got access to the information once it got to the IRC channel, Kenyon said. The goal was to get it off tue government networks and onto a third-party area, he said.

The malware appears to have been distributed using injection and phishing techniques, Kenyon said. The attackers hijacked several Korean-language religious, social, and shopping sites to infect victims. In fact, in 2009, the malware was implanted into a social media site popular among military personnel in South Korea, according to McAfee.

Some of the malicious codes used in this campaign may have masqueraded as anti-virus products from Ahnlab, South Korea’s largest anti-virus vendor, according to McAfee’s report.

McAfee dubbed the cyber-spying campaign “Operation Troy” because the code contained many references to the ancient city.

“This capability could be devastating if military networks were to suddenly be wiped after an adversary had gathered intelligence,” much in the way attackers wiped the machines after Dark Seoul, McAfee said.

Earlier this month, South Korea said it would double its cyber-security budget and train 5,000 cyber warriors over increasing concern over its vulnerability to attacks it blames on North Korea.

The full white paper from McAfee on Operation Troy is available here in PDF format.

Related: South Korea Cyber Attack Tied to DarkSeoul Crew: Symantec

Related‘PinkStats’ Malware Used in Attacks Against South Korea, Others

RelatedSouth Korea Sounds Alert After Official Websites Hacked

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...