Malware that hit South Korea wasn’t so sophisticated
A cyber attack on three of South Korea’s major broadcasters and several of its major banks appears to have been caused by a relatively unsophisticated piece of software, security researchers said Wednesday. [Story updated, see below]
The attacks, which began at around 2pm local time on Wednesday (5:00 UTC) left desktop and laptop computers unable to start at KBS, MBC and YTN and took the auto-teller machines at Shinhan Bank and Nonghyup Bank offline. It didn’t affect the ability of the TV stations to put out programming.
The root of the attack was a malicious piece of software identified by computer security company Sophos Labs as “Mal/EncPk-ACE.” The rather forgettable name has resulted in it being dubbed “DarkSeoul” by researchers at the company who analyzed the code on Wednesday.
“What’s curious is that the malware is not particularly sophisticated. Sophos products have been able to detect the malware for nearly a year, and the various commands embedded in the malicious code have not been obfuscated,” the company said in a blog posting.
For that reason — and based on its analysis of the software code alone — Sophos said it’s difficult to conclude the malicious software constituted a “cyberwarfare” attack from North Korea.
Whatever the source, the software was directed at South Korean computers because it attempts to disable two popular local anti-virus scanners, AhnLab and Hauri AV, Sophos said.
When a computer is infected, the software appears to create several files in the “temp” folder of the PC, AhnLab said in a blog posting. The new files include a routine to destroy the master boot record of the disk — the hard disk’s electronic directory of where information is stored.
A computer with a damaged master boot record won’t start — exactly the behavior reported by companies hit by the attack.
In some cases, the malicous code will attempt to overwrite data on the hard disk. In some cases, data is overwritten with the word “PRINCPES” while other cases saw the words “HASTATI” and “NCPES” used, said researchers.
Versions were detected that attack Windows XP, Windows 7 and several lesser used operating systems including Linux, HP Unix, Solaris and AIX Unix.
Separately from the malicious software, network analysis company Renesys said it detected an impact in several South Korean networks as a result of the attack.
“We observed 5 routed networks of Korea Broadcasting System go down at 05:54:18 UTC this morning (20 March). At the time of this writing they are still down. The Yonhap News Network (YTN) also experienced outages of two of its networks today at 05:54:30 UTC and 06:29:26 UTC.”
Renesys said it also noticed network problems at Korea Gas Corp., which saw its networks go completely offline for two hours from 15:26:30 local time (6:26:30 UTC). Three networks at Shinhan Bank also went offline at the same time.
The problems at Korea Gas could be coincidental, but Renesys notes that South Korea’s 15,000 networks are usually pretty reliable with only 40 or 50 offline at anyone time, usually for technical reasons.
“However, networks from these sectors (Media, Energy, and Banking) are typically some of the most stable, and the timing of their simultaneous outages seems suspicious.”
03/22 UPDATE: Korea Gas contacted Renesys to tell it the network was deliberately taken offline when the attacks were reported to protect its system.
The attack came less than a week after North Korea’s considerably smaller Internet was hit was an unknown glitch that resulted in difficulty accessing web sites for almost two days. North Korea blamed the U.S. and its allies for a cyber attack but offered no other details of the incident, which was only reported in the country’s foreign media output.
“Since last week’s disruption in connectivity in North Korea, we have observed additional brief routing outages for the four routed networks of North Korea. On Monday (18 March) and this morning (20 March), we observed outages lasting for just a few minutes in North Korea. It should be noted that although North Korea’s Internet is small, it is very stable. Until last week, North Korean outages had been very rare.”
Additionally, an attack on the website of Internet provider LG Uplus is looking increasingly like it was unrelated to the troubles at the TV stations and banks. The attack resulted in replacing the service’s home page with a page that claimed responsibility in the name of “Team Whois.”
The same behavior wasn’t reported in the other attacks and Sophos said it had been unable to replicate it.
|Print article||This entry was posted by Martyn Williams on March 21, 2013 at 11:23, and is filed under Hacking, Internet, Security, Websites. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site.|
about 2 months ago - 2 comments
North Korea strongly denied again on Sunday having anything to do with unmanned aircraft discovered crashed on the South Korean side of the inter-Korean border. Last week, the South Korean government said it had concluded an investigation into the incident and concluded the three drones were launched from North Korea. Among its evidence, Seoul said…
about 6 months ago - 1 comment
A recently-launched iPhone app that delivers articles from the Korean Central News Agency to iPhones and iPads has been banned in South Korea. The app, iJuche, was developed and published in late 2013 and was highlighted on NorthKoreaTech earlier this week. That publicity was apparently enough to get it blocked. “I just got a call…
about 7 months ago - 1 comment
A South Korean businessman has been arrested by local authorities on suspicion of passing classified information and video and audio system technology to North Korea, Yonhap reported on Saturday. The report said the suspect, identified only as a 54-year-old man called “Kang,” worked with agents of North Korea’s Reconnaissance General Bureau to pass the information.…
about 9 months ago - No comments
Despite living in one of the most wired societies in the world, South Korean Internet users enjoy a “partly free” Internet due to government censorship of content, according to the results of a global survey on Internet freedom. Censorship of content, which includes many websites that carry North Korean content, has shot up in recent…
about 9 months ago - 1 comment
South Korean defense officials plan to soon launch a high-tech blimp just south of the disputed maritime border with North Korea in November to get a better look into the neighboring country, according to a report in Stars and Stripes. The airship will hover over the island group that includes Yeonpyong, which is the island that was…
about 1 year ago - No comments
A hacking group called “DarkSeoul” was behind some of this week’s attacks on South Korean websites, according to researchers at computer security company Symantec. The company says the group was responsible for denial of service attacks on South Korean government websites and can be directly linked to similar actions in the past. “We can now…
about 1 year ago - 1 comment
Tuesday’s series of denial of service attacks on major North Korean websites caused delays and frustration for legitimate users but doesn’t appear to have been as large or successful as the first round of attacks in late March and early April this year. Analysis by NorthKoreaTech.org of data related to the attacks shows the so-called…
about 1 year ago - No comments
The DPRK is loudly protesting the preliminary results of a South Korean investigation that found it was behind widespread computer disruption that hit several TV stations and banks on March 20. [Updated, see below.] The computer attacks wiped clean the hard disk drives of around 48,000 personal computers and servers inside broadcasters KBS, MBC and YTN, and the…
about 1 year ago - 4 comments
Hot on the heels of a series of attacks that have seen its Internet connectivity severely disrupted, the DPRK appears to be adding an additional route through which it links to the global Internet. The new link began appearing in Internet addressing tables on Monday and connects from Star, the country’s sole Internet service provider,…
about 1 year ago - No comments
Investigators looking into last week’s cyber attack on South Korean banks and broadcasters have reportedly found more IP (Internet Protocol) addresses linked to the attacks, but one security expert I spoke to said that might mean nothing. The National Police Agency said it has traced some of the malicious code to addresses in the United…