Home Business IT Security South Korea's "Dark Seoul" exposed as a military cyber-attack

South Korea's "Dark Seoul" exposed as a military cyber-attack Featured

Subscribe now and get the news that matters to your industry.

* Your Email Address:
* First Name:
* Last Name:
Industry:
Job Function:
Australian State:
Country:
Email marketing by Interspire
weebly statistics

McAfee's investigations into the March 20th "Dark Seoul" attack strongly suggest it had a military focus.

On March 20th 2013, South Korea came under a strong, wide-ranging cyber-attack. Financial services and media were presumed to have been the primary targets. ATM networks were disabled and tens of thousands of computers had their hard disks effectively wiped.

Extensive research by McAfee has uncovered a significant amount of information to suggest that this incident was merely a smokescreen to obscure and bring to a close a long-running attack on military targets throughout the country.

Detailed code analysis has shown that the attack, now called Operation Troy (for the frequent references to the ancient Roman military throughout the code-base) was the product of a group known as New Romanic Cyber Army Team, and that the attack had its origins in 2010.

Image: McAfee Labs

Throughout the evolution of the malware, little changed. "In fact," as McAfee's threat researcher Ryan Sherstobitoff noted, "The main differences between NSTAR, Chang/Eagle, and HTTP Troy had more to do with programming technique than functionality."

One of the main components of the malware was constructed to search infected computers for a broad range of decidedly militaristic terms (for instance, "Defense" "Weapon" "Key Resolve Drill" or "Artillery" to name just four out of a list of 35 on page 22 of the report). Once found, the computer would be ranked for its likely importance based on the words and their frequency in files stored. A later function would package the files into a zip image and exfiltrate them to the attackers' servers. Of course the more 'interesting' computers were uploaded first.

The analysis by Sherstobitoff and fellow McAfee researchers very quickly showed that in order to achieve the outcome, the attack could not have performed in a short period of time. Reports at the time suggested a mass phishing or similar attack to have rapidly affected many thousands of computers. Sherstobitoff et al believe this to not be the case. Instead they suggest perhaps a single successful spear-phishing attack gave an entry point to a trusted computer from where the attack stealthily spread widely.

It was only as the final act of 'defiance' that the affected computers were instructed to self-destruct, probably in the hope that the real cause would never be discovered.

The McAfee report offers no thoughts on the identity of the instigator of the attack, but in iTWire's opinion, the list of likely candidates is a very short one, numbering significantly less than five.

PROTECT YOURSELF AGAINST BANDWIDTH BANDITS!

Don't let traffic bottlenecks slow your network or business-critical apps to a grinding halt. With SolarWinds Bandwidth Analyzer Pack (BAP) you can gain unified network availability, performance, bandwidth, and traffic monitoring together in a single pane of glass.

With SolarWinds BAP, you'll be able to:

• Detect, diagnose, and resolve network performance issues

• Track response time, availability, and uptime of routers, switches, and other SNMP-enabled devices

• Monitor and analyze network bandwidth performance and traffic patterns.

• Identify bandwidth hogs and see which applications are using the most bandwidth

• Graphically display performance metrics in real time via dynamic interactive maps

Download FREE 30 Day Trial!

CLICK TO DOWNLOAD!

ITWIRE SERIES - IS YOUR BACKUP STRATEGY COSTING YOU CLIENTS?

Where are your clients backing up to right now?

Is your DR strategy as advanced as the rest of your service portfolio?

What areas of your business could be improved if you outsourced your backups to a trusted source?

Read the industry whitepaper and discover where to turn to for managed backup

FIND OUT MORE!

David Heath

joomla statistics

David Heath has over 25 years experience in the IT industry, specializing particularly in customer support, security and computer networking. Heath has worked previously as head of IT for The Television Shopping Network, as the network and desktop manager for Armstrong Jones (a major funds management organization) and has consulted into various Australian federal government agencies (including the Department of Immigration and the Australian Bureau of Criminal Intelligence). He has also served on various state, national and international committees for Novell Users International; he was also the organising chairman for the 1994 Novell Users' Conference in Brisbane. Heath is currently employed as an Instructional Designer, building technical training courses for industrial process control systems.

Connect