Seoul-blackening disk wipe badness linked to 4-year SPY CAMPAIGN

Can Norks afford malware writers?


The March attack that hit tens of thousands of computers in South Korea was part of a much larger campaign waged against the Asian nation since at least 2009. That's according to a new report by security biz McAfee.

About 30,000 PCs in banks, insurance companies and TV stations were knackered a few months ago on 20 March in an assault dubbed the Dark Seoul Incident.

South Koreans from Busan to Namyangju couldn't draw money or transfer cash as they were shut out of their online banking accounts and entire networks of cash machines in the country fell over.

The McAfee report avoids leaping to the obvious conclusion that the attacks may be sponsored by North Korea. McAfee's EMEA CTO, Raj Samani, said the firm didn't want to second-guess a South Korean government investigation into the attacks.

What actually happened on 20 March

Spear-phishing emails - precisely targeted messages booby-trapped with attack code - were sent in the preceding three months and were used to open back doors on the PCs. The compromised Windows machines were then told to download and run the data-wiping malware on 20 March.

The software nasties unleashed on computers on the day wiped their master boot records, which are needed to successfully start up the machines.

The attack shouldn't have been particularly damaging beyond being an absolute pain in the neck for IT workers to fix, which is why no one linked the affair to an attempt to snaffle data rather than merely to wipe it.

Beware of Norks snoops bearing gifts

However, security bods at McAfee theorise that malware used in the attack emerged from a hidden years-long campaign. The security firm has dubbed it "Operation Troy" after repeated citations of the ancient city were found in file path strings present in malware associated with the attacks.

The report (PDF) stated:

McAfee Labs can connect the Dark Seoul and other government attacks to a secret, long-term campaign that reveals the true intention of the Dark Seoul adversaries: attempting to spy on and disrupt South Korea’s military and government activities.

McAfee researchers who analysed the malware deployed for Dark Seoul said it shared some of the code in the NSTAR Trojan and other nasties linked to attacks launched against South Korea some three years ago, as McAfee explains:

The history of Operation Troy starts in 2010, with the appearance of the NSTAR Trojan. Since the appearance of NSTAR, seven known variants have been identified. Our investigation into Dark Seoul has found a long-term domestic spying operation underway since at least 2009. The operation, all based on the same code, has attempted to infiltrate specific South Korean targets.

The Operation Troy control process historically involved routing operating commands through concealed Internet Relay Chat (IRC) servers, the researchers said. The first three Troy variants were managed through a South Korean manufacturing website in which the attackers installed an IRC server. This all changed just before the Dark Seoul incident.

The "Concealment" Troy variant, which appeared earlier this year, broke with this dependance on a hardcoded IRC control server control network and moved to running command and control through a more sophisticated (but harder to manage) botnet-based system.

Timeline of the development of Dark Seoul's malware

The Troy-era malware is based on the same source code used to create these specialized variants and shares many commonalities, such as bs.dll and payload.dll, which are found consistently throughout the families. The attackers have attempted since 2009 to install the capability to destroy their targets using an MBR wiper component, as seen in the Dark Seoul incident.

Raj Samani, EMEA CTO at McAfee, told El Reg that behind "noisy" DDoS attacks against South Korean targets, a far more insidious espionage campaign is taking place. "The attacks involve destruction, disruption and espionage," said Samani, adding that the espionage campaign had featured military-themed keywords such as brigade. ®

Similar topics

Broader topics


Other stories you might like

  • South Korea's homegrown web giant Naver plans global growth push
    Aims to reach a billion users with expanded cloud, and lots of cartoon content

    Korean web portal Naver – which enjoys 18 per cent share of the search market in its home nation – has unveiled plans to expand its business product portfolio and secure a billion global users.

    Naver debuted in 1999 as South Korea's first local service combining a portal and search engine – a combo made popular by the likes of Yahoo!. It gained substantial market share at home and remains a force even as Big Tech has expanded around the world. While valued for its distinct local identity, Naver has also been unafraid to borrow ideas from others – for example it operates a public cloud business which generated a modest $234 million of revenue in 2020.

    Now the company wants more. Recently appointed CEO Choi Soo-yeon yesterday used a company event to outline plans for a new stage of global growth. Choi said Naver will expand both through mergers and acquisitions and by creating new businesses, and named Japan, North America and Europe as targets for a five-year drive to achieve ₩15 trillion ($12 billion) revenue. The company posted ₩6.8 trillion ($5.6 billion) of revenue last year. The CEO also wants to grow the company's customer base, already at 700 million, up over the billion mark.

    Continue reading
  • Google snubs South Korea's app store payments law
    US giant's ban on in-app links to non-Play-Store payment options not in the spirit of SK law

    South Korea's Communications Commission has determined that Google has not complied with the nation's law – the first of its kind in the world – requiring operators of app stores to allow third-party payments.

    The law came into effect in September 2021, after South Korea decided the likes of Google and Apple wield too much power to set prices, and skim fees, and that developers and innovation are therefore harmed.

    Google quickly agreed to comply with the law, and Apple came to the party after giving the matter a few weeks of consideration.

    Continue reading
  • Alibaba Cloud opens first South Korean datacenter
    Better late than never – all its global and Chinese hyperscale rivals are already there

    Alibaba Cloud has opened its first datacenter in South Korea.

    As is nearly always the case when hyperscalers expand their physical footprints, the company has said nothing about where the facility is located, or its capacity. Sadly, the company is also silent on whether it has brought its flagship immersion cooling to South Korea. It is also unclear if all Alibaba Cloud products, or a mere subset, are offered in South Korea. We've asked the company to clarify matters.

    One product that Alibaba has definitely deployed in South Korea is its "China Gateway" – a service that allows users to operate resources on Alibaba Cloud inside China with Alibaba assisting with local compliance chores, while maintaining secure and dedicated links to cloudy resources outside the Middle Kingdom. The service even offers the chance to rent office space from WeWork inside China, and to arrange local logistics. Alibaba Cloud suggests the service is a fine way for web-based businesses to enter China.

    Continue reading
  • Skyhigh Security rises from McAfee-FireEye’s SSE
    CEO chats to us about zero trust, data protection, and more

    Skyhigh Security, formed from the Secure Service Edge (SSE) pieces of McAfee Enterprise and FireEye, today announced its name and data-guarding portfolio. 

    CEO Gee Rittenhouse, who led McAfee Enterprise Cloud and is a former Cisco security executive, said Skyhigh aims to shift practitioners' focus from granting or blocking network access to resources, to fine-grain monitoring and protection of applications and data even after people have logged in.

    Instead of simply securing access to an application, Skyhigh examines what people and machines do with the software, and how they use information with in once their identity has been verified and access granted, Rittenhouse said.

    Continue reading

Biting the hand that feeds IT © 1998–2022