Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

South Korea Cyber Attack Tied to DarkSeoul Crew: Symantec

Security researchers at Symantec have attributed at least part of the recent cyber-attacks against South Korea to a sophisticated hacker crew known as DarkSeoul.

Security researchers at Symantec have attributed at least part of the recent cyber-attacks against South Korea to a sophisticated hacker crew known as DarkSeoul.

The attacks occurred Tuesday on the anniversary of the start of the Korean War in 1950, an event the hackers effectively commemorated by taking down websites for the South Korean president’s office as well as local newspapers.

While government officials have not blamed anyone for the attacks, Symantec believes a group called DarkSeoul is responsible for at least one of the attacks and has been actively targeting South Korea for four years. The group is believed to be tied to attacks there in March as well, when numerous hard drives at South Korean banks and television stations were wiped in a spate of devastating attacks. Symantec also blames the crew for attacks on financial companies in South Korea last month.

“Previously, we believed that these attacks were all connected based on the M.O., but that is not definitive enough for us to declare they are indeed connected,” said Eric Chien, technical director for Symantec’s Security Response team. “The attack this week, however, used new binaries. These new binaries shared code with the previous attacks that allowed us to definitively connect all the attacks together. The shared code is not code we have seen used in any other attacks, either.”

According to Symantec, the gang’s attack begins with a user visiting a compromised site hosting the Trojan downloader Castov disguised as SimDisk.exe. Ultimately, the infected computer also downloads a Trojan known as Castdos, which is used for the DDoS attack.

Trend Micro Threats Researcher Marco Dela Vega blogged that the malware connected to the DDoS attack was set to drop the DDoS-capable component into systems on or after 10 a.m. June 25 with the goal of triggering a ticking time bomb.

“Looking more into the attack, maximum impact appears to be its primary goal,” he wrote. “The DDoS attack is carried out by repeatedly sending relatively large DNS packets (more than one kilobyte) to two IP addresses. These targeted IP addresses are the primary and secondary DNS name servers of record for multiple South Korean government sites. The attack is intended to knock all of these sites offline indirectly: users that don’t have a DNS record cached for these domains would need to use DNS to translate the domain name to the IP address, but because the name servers for these domains are offline, they would be unable to do so.”

“By targeting a single point of failure, attackers are able to take down multiple sites using only one attack,” he added.

In addition to taking the sites down, a report surfaced today that hackers had both obtained and publicized personal details of more than two million South Korean ruling party workers and 40,000 U.S. troops, including those stationed in South Korea.

“We have seen the sites where the details were posted and clips that supposedly capture the process of hacking into web sites,” an official at the South Korean online security firm NSHC told Reuters.

The legitimacy of the information however could not be verified, the official said.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.