South Korea Cyber Attack Tied to DarkSeoul Crew: Symantec

Security researchers at Symantec have attributed at least part of the recent cyber-attacks against South Korea to a sophisticated hacker crew known as DarkSeoul.

The attacks occurred Tuesday on the anniversary of the start of the Korean War in 1950, an event the hackers effectively commemorated by taking down websites for the South Korean president’s office as well as local newspapers.

While government officials have not blamed anyone for the attacks, Symantec believes a group called DarkSeoul is responsible for at least one of the attacks and has been actively targeting South Korea for four years. The group is believed to be tied to attacks there in March as well, when numerous hard drives at South Korean banks and television stations were wiped in a spate of devastating attacks. Symantec also blames the crew for attacks on financial companies in South Korea last month.

“Previously, we believed that these attacks were all connected based on the M.O., but that is not definitive enough for us to declare they are indeed connected,” said Eric Chien, technical director for Symantec’s Security Response team. “The attack this week, however, used new binaries. These new binaries shared code with the previous attacks that allowed us to definitively connect all the attacks together. The shared code is not code we have seen used in any other attacks, either.”

According to Symantec, the gang’s attack begins with a user visiting a compromised site hosting the Trojan downloader Castov disguised as SimDisk.exe. Ultimately, the infected computer also downloads a Trojan known as Castdos, which is used for the DDoS attack.

Trend Micro Threats Researcher Marco Dela Vega blogged that the malware connected to the DDoS attack was set to drop the DDoS-capable component into systems on or after 10 a.m. June 25 with the goal of triggering a ticking time bomb.

“Looking more into the attack, maximum impact appears to be its primary goal,” he wrote. “The DDoS attack is carried out by repeatedly sending relatively large DNS packets (more than one kilobyte) to two IP addresses. These targeted IP addresses are the primary and secondary DNS name servers of record for multiple South Korean government sites. The attack is intended to knock all of these sites offline indirectly: users that don’t have a DNS record cached for these domains would need to use DNS to translate the domain name to the IP address, but because the name servers for these domains are offline, they would be unable to do so.”

“By targeting a single point of failure, attackers are able to take down multiple sites using only one attack,” he added.

In addition to taking the sites down, a report surfaced today that hackers had both obtained and publicized personal details of more than two million South Korean ruling party workers and 40,000 U.S. troops, including those stationed in South Korea.

“We have seen the sites where the details were posted and clips that supposedly capture the process of hacking into web sites,” an official at the South Korean online security firm NSHC told Reuters.

The legitimacy of the information however could not be verified, the official said.