SKorea cyber attack part of long campaign: US study

Jul 09, 2013 by Rob Lever
Members of the Korea Internet Security Agency (KISA) check on cyber attacks at a briefing room of KISA in Seoul on March 20, 2013. The massive cyber attacks on South Korean banks and broadcasters earlier this year were part of a broad campaign of cyber espionage which dates back at least to 2009, a US security firm has concluded.

The massive cyber attacks on South Korean banks and broadcasters earlier this year were part of a broad campaign of cyber espionage which dates back at least to 2009, a US security firm has concluded.

The study by the firm McAfee stopped short of blaming specific entities for the March 20 onslaught but said it found a pattern of sophisticated , including efforts to wipe away traces that could lead to detection.

"The level of sophistication would indicate it is above and beyond your average individual or run-of-the mill hacktivism group," said James Walter, a McAfee researcher and co-author of the study.

An official South Korean investigation in April determined North Korea's military was responsible for the attacks which shut down the networks of TV broadcasters KBS, MBC and YTN, halted financial services and crippled operations at three banks—Shinhan, NongHyup and Jeju.

Walter told AFP that McAfee drew no official conclusion but added that "I have no reason to disagree" with the South Korean investigation conclusion.

But McAfee said the attacks represented only a small portion of the cyber campaign being carried out since 2009.

"One of the primary activities going on here is theft of intellectual property, data exfiltration, essentially stealing of secrets," Walter said.

The report said the attacks, known first as Dark Seoul and now as Operation Troy were "more than cybervandalism... South Korean targets were actually the conclusion of a covert campaign."

McAfee concluded that two groups claiming responsibility for the attack were not credible.

"The clues left behind confirm that the two groups claiming responsibility were a fabrication to throw investigators off the trail and to mask the true source," the report said.

Walter said that it is possible that with the campaign nearing detection, the hackers launched these attacks to distract the public and then sought to blame them on little-known entities, the NewRomanic Cyber Army Team, and the Whois Hacking Team.

He added that up to now, the cyber espionage effort "has been very successful in being under the radar" and that "what we see now was a more visible activity that is coupled with a distraction campaign."

McAfee concluded that the remote-access Trojan was compiled January 26, and a component to wipe the records of numerous systems was compiled January 31.

"The attackers who conducted the operation remained hidden for a number of years prior to the March 20 incident by using a variety of custom tools," the report said.

"Our investigation into Dark Seoul has found a long-term domestic spying operation underway since at least 2009... We call this Operation Troy, based on the frequent use of the word Troy in the compile path strings in the malware."

McAfee carried out the study as part of its research into cybersecurity issues, Walter said.

The attack came days after North Korea had accused South Korea and the United States of being behind a "persistent and intensive" hacking assault that temporarily took a number of its official websites offline.

It also coincided with heightened military tensions on the Korean peninsula, following Pyongyang's nuclear test in February.

Explore further: Twitter takes note of other apps on smartphones

add to favorites email to friend print save as pdf

Related Stories

South Korea beefs up cyber security

Jul 04, 2013

South Korea on Thursday said it would double its cyber-security budget and train 5,000 experts amid growing concern over its vulnerability to attacks it blames on North Korea.

SKorea says several gov't, private websites hacked

Jun 25, 2013

South Korea said multiple government and private sector websites were hacked on Tuesday's anniversary of the start of the Korean War, and Seoul issued a cyberattack alert warning officials and citizens to take security measures.

Studies: Cyberspying targeted SKorea, US military

Jul 08, 2013

The hackers who knocked out tens of thousands of South Korean computers simultaneously this year are out to do far more than erase hard drives, cybersecurity firms say: They also are trying to steal South ...

SKorea says NKorea behind computer crash in March

Apr 10, 2013

(AP)—North Korea was responsible for a cyberattack that shut down tens of thousands of computers and servers at South Korean broadcasters and banks last month, officials in Seoul said Wednesday, noting ...

Recommended for you

UN moves to strengthen digital privacy (Update)

Nov 25, 2014

The United Nations on Tuesday adopted a resolution on protecting digital privacy that for the first time urged governments to offer redress to citizens targeted by mass surveillance.

Spotify turns up volume as losses fall

Nov 25, 2014

The world's biggest music streaming service, Spotify, announced Tuesday its revenue grew by 74 percent in 2013 while net losses shrank by one third, in a year of spectacular expansion.

Virtual money and user's identity

Nov 25, 2014

Bitcoin is the new money: minted and exchanged on the Internet. Faster and cheaper than a bank, the service is attracting attention from all over the world. But a big question remains: are the transactions ...

User comments : 0

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.