Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

South Korea Cyber Attack Tied to DarkSeoul Crew: Symantec

Security researchers at Symantec have attributed at least part of the recent cyber-attacks against South Korea to a sophisticated hacker crew known as DarkSeoul.

Security researchers at Symantec have attributed at least part of the recent cyber-attacks against South Korea to a sophisticated hacker crew known as DarkSeoul.

The attacks occurred Tuesday on the anniversary of the start of the Korean War in 1950, an event the hackers effectively commemorated by taking down websites for the South Korean president’s office as well as local newspapers.

While government officials have not blamed anyone for the attacks, Symantec believes a group called DarkSeoul is responsible for at least one of the attacks and has been actively targeting South Korea for four years. The group is believed to be tied to attacks there in March as well, when numerous hard drives at South Korean banks and television stations were wiped in a spate of devastating attacks. Symantec also blames the crew for attacks on financial companies in South Korea last month.

“Previously, we believed that these attacks were all connected based on the M.O., but that is not definitive enough for us to declare they are indeed connected,” said Eric Chien, technical director for Symantec’s Security Response team. “The attack this week, however, used new binaries. These new binaries shared code with the previous attacks that allowed us to definitively connect all the attacks together. The shared code is not code we have seen used in any other attacks, either.”

According to Symantec, the gang’s attack begins with a user visiting a compromised site hosting the Trojan downloader Castov disguised as SimDisk.exe. Ultimately, the infected computer also downloads a Trojan known as Castdos, which is used for the DDoS attack.

Trend Micro Threats Researcher Marco Dela Vega blogged that the malware connected to the DDoS attack was set to drop the DDoS-capable component into systems on or after 10 a.m. June 25 with the goal of triggering a ticking time bomb.

“Looking more into the attack, maximum impact appears to be its primary goal,” he wrote. “The DDoS attack is carried out by repeatedly sending relatively large DNS packets (more than one kilobyte) to two IP addresses. These targeted IP addresses are the primary and secondary DNS name servers of record for multiple South Korean government sites. The attack is intended to knock all of these sites offline indirectly: users that don’t have a DNS record cached for these domains would need to use DNS to translate the domain name to the IP address, but because the name servers for these domains are offline, they would be unable to do so.”

“By targeting a single point of failure, attackers are able to take down multiple sites using only one attack,” he added.

Advertisement. Scroll to continue reading.

In addition to taking the sites down, a report surfaced today that hackers had both obtained and publicized personal details of more than two million South Korean ruling party workers and 40,000 U.S. troops, including those stationed in South Korea.

“We have seen the sites where the details were posted and clips that supposedly capture the process of hacking into web sites,” an official at the South Korean online security firm NSHC told Reuters.

The legitimacy of the information however could not be verified, the official said.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.