SKorea cyber attack part of long campaign: US study

July 9, 2013 by Rob Lever
Members of the Korea Internet Security Agency (KISA) check on cyber attacks at a briefing room of KISA in Seoul on March 20, 2013. The massive cyber attacks on South Korean banks and broadcasters earlier this year were part of a broad campaign of cyber espionage which dates back at least to 2009, a US security firm has concluded.

The massive cyber attacks on South Korean banks and broadcasters earlier this year were part of a broad campaign of cyber espionage which dates back at least to 2009, a US security firm has concluded.

The study by the firm McAfee stopped short of blaming specific entities for the March 20 onslaught but said it found a pattern of sophisticated , including efforts to wipe away traces that could lead to detection.

"The level of sophistication would indicate it is above and beyond your average individual or run-of-the mill hacktivism group," said James Walter, a McAfee researcher and co-author of the study.

An official South Korean investigation in April determined North Korea's military was responsible for the attacks which shut down the networks of TV broadcasters KBS, MBC and YTN, halted financial services and crippled operations at three banks—Shinhan, NongHyup and Jeju.

Walter told AFP that McAfee drew no official conclusion but added that "I have no reason to disagree" with the South Korean investigation conclusion.

But McAfee said the attacks represented only a small portion of the cyber campaign being carried out since 2009.

"One of the primary activities going on here is theft of intellectual property, data exfiltration, essentially stealing of secrets," Walter said.

The report said the attacks, known first as Dark Seoul and now as Operation Troy were "more than cybervandalism... South Korean targets were actually the conclusion of a covert campaign."

McAfee concluded that two groups claiming responsibility for the attack were not credible.

"The clues left behind confirm that the two groups claiming responsibility were a fabrication to throw investigators off the trail and to mask the true source," the report said.

Walter said that it is possible that with the campaign nearing detection, the hackers launched these attacks to distract the public and then sought to blame them on little-known entities, the NewRomanic Cyber Army Team, and the Whois Hacking Team.

He added that up to now, the cyber espionage effort "has been very successful in being under the radar" and that "what we see now was a more visible activity that is coupled with a distraction campaign."

McAfee concluded that the remote-access Trojan was compiled January 26, and a component to wipe the records of numerous systems was compiled January 31.

"The attackers who conducted the operation remained hidden for a number of years prior to the March 20 incident by using a variety of custom tools," the report said.

"Our investigation into Dark Seoul has found a long-term domestic spying operation underway since at least 2009... We call this Operation Troy, based on the frequent use of the word Troy in the compile path strings in the malware."

McAfee carried out the study as part of its research into cybersecurity issues, Walter said.

The attack came days after North Korea had accused South Korea and the United States of being behind a "persistent and intensive" hacking assault that temporarily took a number of its official websites offline.

It also coincided with heightened military tensions on the Korean peninsula, following Pyongyang's nuclear test in February.

Explore further: Cyber attack hits US-based NKorea rights group

Related Stories

SKorea says NKorea behind computer crash in March

April 10, 2013

(AP)—North Korea was responsible for a cyberattack that shut down tens of thousands of computers and servers at South Korean broadcasters and banks last month, officials in Seoul said Wednesday, noting that an initial investigation ...

SKorea says several gov't, private websites hacked

June 25, 2013

South Korea said multiple government and private sector websites were hacked on Tuesday's anniversary of the start of the Korean War, and Seoul issued a cyberattack alert warning officials and citizens to take security measures.

South Korea beefs up cyber security

July 4, 2013

South Korea on Thursday said it would double its cyber-security budget and train 5,000 experts amid growing concern over its vulnerability to attacks it blames on North Korea.

Studies: Cyberspying targeted SKorea, US military

July 8, 2013

The hackers who knocked out tens of thousands of South Korean computers simultaneously this year are out to do far more than erase hard drives, cybersecurity firms say: They also are trying to steal South Korean and U.S. ...

Recommended for you

Nevada researchers trying to turn roadside weed into biofuel

November 26, 2015

Three decades ago, a University of Nevada researcher who obtained one of the first U.S. Energy Department grants to study the potential to turn plants into biofuels became convinced that a roadside weed—curly top gumweed—was ...

Glider pilots aim for the stratosphere

November 20, 2015

Talk about serendipity. Einar Enevoldson was strolling past a scientist's office in 1991 when he noticed a freshly printed image tacked to the wall. He was thunderstruck; it showed faint particles in the sky that proved something ...


Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.