The South Korean public sector is once again in the firing line of a sophisticated – and likely government-backed – cyberattack.
The campaign was active between November 2016 and January 2017 and relied on exploiting vulnerabilities in a Korean language word processing program and a spoofed document from the Korean Ministry of Unification.
Security researchers at Cisco Talos discovered that the adversaries used a compromised Korean government website – kgls.or.kr (Korean Government Legal Service) – to download secondary payloads onto compromised machines.
"This attack is notable because it uses the proprietary format of the Hangul Word Processor, a regional word processor and popular alternative to Microsoft Office for South Korean users," Cisco Talos reports.
"Due to these elements it's likely that this campaign has been designed by a well-funded group in an attempt to gain a foothold into South Korean assets, which can be deemed extremely valuable."
Many of these techniques fit the profile of campaigns previously associated with attacks by certain government groups. South Korean systems are routinely attacked by their neighbors in the North. The US National Security Agency also has a history of gaining access to networks in South Korea, primarily to spy on the Norks.
The spying occurred in the run-up to a controversial ballistic missile test by the North Koreans earlier this month and, perhaps of greater relevance, shortly before joint US–South Korean military exercises.
North Korea has repeatedly been blamed for hacks and malware-based attacks on its southern neighbors, most notoriously the so-called Dark Seoul attacks against banks and broadcasters of 2013. The NORKS were also blamed by US intel agencies for the infamous Sony Pictures hack of 2014. ®