South Korea Cyberattacks: Bravado, Cyberwarfare Or Smokescreen?
The wave of cyberattacks that rattled South Korea this week, targeting television broadcasters YTN, MBC and KBS as well as two major commercial banks, Shinhan Bank and NongHyup Bank, were caused by a piece of wiper malware known as Trojan Horse/Trojan.Jokra and WS.Reputation.1, according to initial research by Symantec.
The incident left customers unable to access their bank accounts and apparently did untold damage to network systems. About 32,000 computers at the organizations were affected, according to the South's state-run Korea Internet Security Agency, adding it would take up to five days to fully restore their functions, according to a Reuters report.
The malware used, which wiped the hard drives of the impacted computers leaving them in a shattered state, left an elaborate animated web page with sound effects, showing three skulls and included a message by the claimed attackers calling themselves the “Whois” team, according to Symantec.
Security Bistro spoke to Barry Shteiman, Senior Security Strategist at Imperva, who said that this incident had all of the hallmarks of a group trying to flex their muscle.
"Hacking a bank has an immediate effect. Taking 'down' a bank creates a ripple effect. First, the bank has to reveal what happened due to regulations, and then the personal account holders and business account holders begin raising their voices for not being able to access their funds or transact," Shteiman said. "While some are willing to take it, another part of the customer base will change its course and choose another provider. Since the hacks focused on more than banks (that is, they focused on telecommunications as well) it makes sense that a big part of the reason to hack was to intimidate."
The malware, according to a blog by Jaime Blasco, Director at AlienVault Labs, was used to overwrite the master boot record, preventing the affected computers from rebooting. In its place, the wiper malware left the word Hastati. According to Wikipedia, the Hastati were a class of infantry in the armies of the early Roman Republic.
Subsequent analysis from Symantec uncovered that the Trojan.Jokra they intially discovered contained a unique feature: a module for wiping remote Linux machines.
"We do not normally see components that work on multiple operating systems, so it is interesting to discover that the attackers included a component to wipe Linux machines inside a Windows threat," they wrote.
While it will take days, perhaps even a week, for some of the attacked systems to return to normal, there is already speculation as to the origins and motives behind this targeted attack.
A theory proposed by the security firm Avast surmises that the attacks may be the work of the Chinese. After analyzing the code that originated at hxxp://www.spc.or.kr/ and brought down several South Korean banks, Avast discovered strong clues that point back to China.
"Aside from location of the final (laoding521.eicp.net), which is in China, analysis of both 2nd and 3rd stage executable makes us think so. First of all, file names like tongji (statistics), tong (connect), pao (run) are definitely Chinese," Avast researchers wrote in a post.
Researchers from Kaspersky Labs took a more big picture stance, believing that the nature of the attack provides ample evidence as to who the culprits may be.
"The attacks were designed to be 'loud' - the victims are broadcasting companies and banks. This makes us think we are not dealing with a serious, determined adversary but script kiddies or hacktivists looking for quick fame," they wrote Kaspersky wrote on their Securelist blog.
While theories will, no doubt, continue to be bandied about, Shteiman believes it is too soon to point the finger.
"It is very unclear at this point. Bear in mind that a hack of this scale has to be planned, and so assuming that this was a statement making incident may be the wrong path to go. There is a good chance that the hack series had a goal, and it might have been achieved," he said.
A goal that might have had a more malicious endgame.
"Notice that there has been no claim published that data was stolen or lost, which makes one wonder if there was data stolen," added Shtieman.