On March 20th 2013, South Korea came under a strong, wide-ranging cyber-attack. Financial services and media were presumed to have been the primary targets. ATM networks were disabled and tens of thousands of computers had their hard disks effectively wiped.
Extensive research by McAfee has uncovered a significant amount of information to suggest that this incident was merely a smokescreen to obscure and bring to a close a long-running attack on military targets throughout the country.
Detailed code analysis has shown that the attack, now called Operation Troy (for the frequent references to the ancient Roman military throughout the code-base) was the product of a group known as New Romanic Cyber Army Team, and that the attack had its origins in 2010.
Image: McAfee Labs
Throughout the evolution of the malware, little changed. "In fact," as McAfee's threat researcher Ryan Sherstobitoff noted, "The main differences between NSTAR, Chang/Eagle, and HTTP Troy had more to do with programming technique than functionality."
The analysis by Sherstobitoff and fellow McAfee researchers very quickly showed that in order to achieve the outcome, the attack could not have performed in a short period of time. Reports at the time suggested a mass phishing or similar attack to have rapidly affected many thousands of computers. Sherstobitoff et al believe this to not be the case. Instead they suggest perhaps a single successful spear-phishing attack gave an entry point to a trusted computer from where the attack stealthily spread widely.
It was only as the final act of 'defiance' that the affected computers were instructed to self-destruct, probably in the hope that the real cause would never be discovered.
The McAfee report offers no thoughts on the identity of the instigator of the attack, but in iTWire's opinion, the list of likely candidates is a very short one, numbering significantly less than five.