The cyber attack on South Korean banks and media outlets in March was part of a wider four-year military espionage operation against the Seoul government, McAfee Labs said this week.
In an analysis of a series of hacking attacks on South Korea since 2009, the security software company said the attackers used a remote-access Trojan to compromise an internal server in the latest disruption on March 20. In this attack, which became known as Dark Seoul, three TV networks and two banks were partly or completely crippled.
McAfee said it was not clear who was really behind the attacks, which have been claimed by groups calling themselves The NewRomanic Cyber Army Team and The Whois Hacking Team. “The clues left behind confirm that the two groups claiming responsibility were a fabrication to throw investigators off the trail and to mask the true source,” the McAfee report said.
McAfee said it had renamed the anti-Seoul attacks Operation Troy, because the word “Troy” cropped up repeatedly in the malware used over the four years.
“We have determined that the attackers had access to the environment prior to wiping the systems [on March 20],” the analysis said. “The remote-access Trojan was likely delivered to an internal PC via a spear-phishing campaign. From this system the attackers accessed other internal resources. The Trojan was designed to operate within Internet Explorer; it launched a hidden instance of Internet Explorer and injected itself into the running process.”
The report said Operation Troy was aimed only at South Korea. “The malware connected to legitimate Korean domains that were running a bulletin board and sent a specific command to a PHP page to establish an IRC channel and receive commands,” it said.
“McAfee Labs has determined that domestic espionage activities occurred before the March 20 attacks, most likely to gain intelligence regarding the targets to carry out further attacks (such as the March 20 incident) or to benefit the attackers in some other ways. This spying operation had remained hidden and only now has been discovered through diligent research and collaboration.”
McAfee said whoever was behind the attacks had designed “a sophisticated encrypted network designed to gather intelligence on military networks. We have confirmed cases of Trojans operating through these networks in 2009, 2010, 2011 and 2013. This network was designed to camouflage all communications between the infected systems and the control servers via the Microsoft Cryptography API using RSA 128-bit encryption.”
Everything extracted from the military networks would be transmitted over the encrypted network once the malware identified interesting information, the report said.
“What makes this case particularly interesting is the use of automated reconnaissance tools to identify what specific military information internal systems contained before the attackers tried to grab any of the files …
“The search criteria are primarily specific file extensions and keywords in document titles. The keywords are all military specific. Some refer to specific military units and programs that operate in South Korea.”
McAfee said the espionage malware had the capability to destroy systems in the same way that the March 20 attacks disabled thousands of systems. “This capability could be devastating if military networks were to suddenly be wiped after an adversary had gathered intelligence.”
The McAfee report did not refer to more recent cyber attacks on South Korea, such as those last month on the anniversary of the start of the Korean War in 1950. Several government websites were shut down by the attacks.
- About Corero
- Investor Relations
- News Room
- Executive Management Team
- Corero Offices
- Contact Us