Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Data Wiping Attacks in South Korea Were Culmination of Multi-Year Espionage Campaign

South Korea Cyber Attack Was Part of Long campaign Dating Back to at Least 2009 and Conclusion of a Covert Espionage Campaign

South Korea Cyber Attack Was Part of Long campaign Dating Back to at Least 2009 and Conclusion of a Covert Espionage Campaign

The attacks that wiped data from tens of thousands of computers at South Korean TV networks and financial institutions earlier this year were part of a larger cyber-espionage campaign that spanned at least four years, McAfee researchers said today.

The malware was designed to find and upload information referring to the U.S. military presence in South Korea, joint exercises, and certain keywords such as “secret” or “confidential,” Brian Kenyon, Vice President and CTO of Security Connected at McAfee, told SecurityWeek. Researchers discovered that the malware used during the “Dark Seoul Incident” on March 20 had many characteristics in common with a keyword-searching malware dating back to 2009, Kenyon said.

South Korea Operation Troy

In the Dark Seoul attacks, the malware wasn’t collecting information, but was erasing hard drives and destroying the master boot records on 30,000 machines. “The incident was more than cybervandalism,” McAfee said in the report. “The attacks on South Korean targets were actually the conclusion of a covert espionage campaign.”

Researchers discovered that data wiping malware and the original keyword-searching malware appear to have been compiled using the same directory structure, used the same cryptographic key, and was created with the same compiler, Kenyon said. It appears there may have been versions as old as from 2007 or 2008, as well.

McAfee did not go as far to point fingers at any country that may be responsible in its report, but said the attacks were part of an attempt” to spy on and disrupt South Korea’s military and government.” South Korea has accused North Korea in the past for targeting its networks.

However, Kenyon said the clues indicate that the campaign was the work of a single group.

McAfee also did not have a list of targets that may have been hit by this espionage campaign over the years. The researchers have several samples of the malware that was used, and was able to infer that the targets must have military-related information based on the type of keywords the malware was searching for, Kenyon said. The code was custom-built for the campaign and doesn’t appear to have elements from other malware families or toolkits, he said.

The malware, once it infected a machine, automatically searched for dozens of military terms in Korean, including “U.S. Army,” “secret,” “Joint Chiefs of Staff” and “Operation Key Resolve,” an annual military exercise held by U.S. Forces Korea and the South Korean military. It then transferred the data over encrypted channels to an IRC channel.

It’s anyone’s guess where the data went or who got access to the information once it got to the IRC channel, Kenyon said. The goal was to get it off tue government networks and onto a third-party area, he said.

The malware appears to have been distributed using injection and phishing techniques, Kenyon said. The attackers hijacked several Korean-language religious, social, and shopping sites to infect victims. In fact, in 2009, the malware was implanted into a social media site popular among military personnel in South Korea, according to McAfee.

Some of the malicious codes used in this campaign may have masqueraded as anti-virus products from Ahnlab, South Korea’s largest anti-virus vendor, according to McAfee’s report.

McAfee dubbed the cyber-spying campaign “Operation Troy” because the code contained many references to the ancient city.

“This capability could be devastating if military networks were to suddenly be wiped after an adversary had gathered intelligence,” much in the way attackers wiped the machines after Dark Seoul, McAfee said.

Earlier this month, South Korea said it would double its cyber-security budget and train 5,000 cyber warriors over increasing concern over its vulnerability to attacks it blames on North Korea.

The full white paper from McAfee on Operation Troy is available here in PDF format.

Related: South Korea Cyber Attack Tied to DarkSeoul Crew: Symantec

Related‘PinkStats’ Malware Used in Attacks Against South Korea, Others

RelatedSouth Korea Sounds Alert After Official Websites Hacked

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


FBI says a North Korea-linked threat group known as Lazarus and APT38 is behind the $100 million Horizon bridge cryptocurrency heist.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.