South Korea Cyber Attack Was Part of Long campaign Dating Back to at Least 2009 and Conclusion of a Covert Espionage Campaign
The attacks that wiped data from tens of thousands of computers at South Korean TV networks and financial institutions earlier this year were part of a larger cyber-espionage campaign that spanned at least four years, McAfee researchers said today.
The malware was designed to find and upload information referring to the U.S. military presence in South Korea, joint exercises, and certain keywords such as “secret” or “confidential,” Brian Kenyon, Vice President and CTO of Security Connected at McAfee, told SecurityWeek. Researchers discovered that the malware used during the “Dark Seoul Incident” on March 20 had many characteristics in common with a keyword-searching malware dating back to 2009, Kenyon said.
In the Dark Seoul attacks, the malware wasn’t collecting information, but was erasing hard drives and destroying the master boot records on 30,000 machines. “The incident was more than cybervandalism,” McAfee said in the report. “The attacks on South Korean targets were actually the conclusion of a covert espionage campaign.”
Researchers discovered that data wiping malware and the original keyword-searching malware appear to have been compiled using the same directory structure, used the same cryptographic key, and was created with the same compiler, Kenyon said. It appears there may have been versions as old as from 2007 or 2008, as well.
McAfee did not go as far to point fingers at any country that may be responsible in its report, but said the attacks were part of an attempt” to spy on and disrupt South Korea’s military and government.” South Korea has accused North Korea in the past for targeting its networks.
However, Kenyon said the clues indicate that the campaign was the work of a single group.
McAfee also did not have a list of targets that may have been hit by this espionage campaign over the years. The researchers have several samples of the malware that was used, and was able to infer that the targets must have military-related information based on the type of keywords the malware was searching for, Kenyon said. The code was custom-built for the campaign and doesn’t appear to have elements from other malware families or toolkits, he said.
The malware, once it infected a machine, automatically searched for dozens of military terms in Korean, including “U.S. Army,” “secret,” “Joint Chiefs of Staff” and “Operation Key Resolve,” an annual military exercise held by U.S. Forces Korea and the South Korean military. It then transferred the data over encrypted channels to an IRC channel.
It’s anyone’s guess where the data went or who got access to the information once it got to the IRC channel, Kenyon said. The goal was to get it off tue government networks and onto a third-party area, he said.
The malware appears to have been distributed using injection and phishing techniques, Kenyon said. The attackers hijacked several Korean-language religious, social, and shopping sites to infect victims. In fact, in 2009, the malware was implanted into a social media site popular among military personnel in South Korea, according to McAfee.
Some of the malicious codes used in this campaign may have masqueraded as anti-virus products from Ahnlab, South Korea’s largest anti-virus vendor, according to McAfee’s report.
McAfee dubbed the cyber-spying campaign “Operation Troy” because the code contained many references to the ancient city.
“This capability could be devastating if military networks were to suddenly be wiped after an adversary had gathered intelligence,” much in the way attackers wiped the machines after Dark Seoul, McAfee said.
Earlier this month, South Korea said it would double its cyber-security budget and train 5,000 cyber warriors over increasing concern over its vulnerability to attacks it blames on North Korea.
The full white paper from McAfee on Operation Troy is available here in PDF format.