Malware that hit South Korea wasn’t so sophisticated
A cyber attack on three of South Korea’s major broadcasters and several of its major banks appears to have been caused by a relatively unsophisticated piece of software, security researchers said Wednesday. [Story updated, see below]
The attacks, which began at around 2pm local time on Wednesday (5:00 UTC) left desktop and laptop computers unable to start at KBS, MBC and YTN and took the auto-teller machines at Shinhan Bank and Nonghyup Bank offline. It didn’t affect the ability of the TV stations to put out programming.
The root of the attack was a malicious piece of software identified by computer security company Sophos Labs as “Mal/EncPk-ACE.” The rather forgettable name has resulted in it being dubbed “DarkSeoul” by researchers at the company who analyzed the code on Wednesday.
“What’s curious is that the malware is not particularly sophisticated. Sophos products have been able to detect the malware for nearly a year, and the various commands embedded in the malicious code have not been obfuscated,” the company said in a blog posting.
For that reason — and based on its analysis of the software code alone — Sophos said it’s difficult to conclude the malicious software constituted a “cyberwarfare” attack from North Korea.
Whatever the source, the software was directed at South Korean computers because it attempts to disable two popular local anti-virus scanners, AhnLab and Hauri AV, Sophos said.
When a computer is infected, the software appears to create several files in the “temp” folder of the PC, AhnLab said in a blog posting. The new files include a routine to destroy the master boot record of the disk — the hard disk’s electronic directory of where information is stored.
A computer with a damaged master boot record won’t start — exactly the behavior reported by companies hit by the attack.
In some cases, the malicous code will attempt to overwrite data on the hard disk. In some cases, data is overwritten with the word “PRINCPES” while other cases saw the words “HASTATI” and “NCPES” used, said researchers.
Versions were detected that attack Windows XP, Windows 7 and several lesser used operating systems including Linux, HP Unix, Solaris and AIX Unix.
Separately from the malicious software, network analysis company Renesys said it detected an impact in several South Korean networks as a result of the attack.
“We observed 5 routed networks of Korea Broadcasting System go down at 05:54:18 UTC this morning (20 March). At the time of this writing they are still down. The Yonhap News Network (YTN) also experienced outages of two of its networks today at 05:54:30 UTC and 06:29:26 UTC.”
Renesys said it also noticed network problems at Korea Gas Corp., which saw its networks go completely offline for two hours from 15:26:30 local time (6:26:30 UTC). Three networks at Shinhan Bank also went offline at the same time.
The problems at Korea Gas could be coincidental, but Renesys notes that South Korea’s 15,000 networks are usually pretty reliable with only 40 or 50 offline at anyone time, usually for technical reasons.
“However, networks from these sectors (Media, Energy, and Banking) are typically some of the most stable, and the timing of their simultaneous outages seems suspicious.”
03/22 UPDATE: Korea Gas contacted Renesys to tell it the network was deliberately taken offline when the attacks were reported to protect its system.
The attack came less than a week after North Korea’s considerably smaller Internet was hit was an unknown glitch that resulted in difficulty accessing web sites for almost two days. North Korea blamed the U.S. and its allies for a cyber attack but offered no other details of the incident, which was only reported in the country’s foreign media output.
“Since last week’s disruption in connectivity in North Korea, we have observed additional brief routing outages for the four routed networks of North Korea. On Monday (18 March) and this morning (20 March), we observed outages lasting for just a few minutes in North Korea. It should be noted that although North Korea’s Internet is small, it is very stable. Until last week, North Korean outages had been very rare.”
Additionally, an attack on the website of Internet provider LG Uplus is looking increasingly like it was unrelated to the troubles at the TV stations and banks. The attack resulted in replacing the service’s home page with a page that claimed responsibility in the name of “Team Whois.”
The same behavior wasn’t reported in the other attacks and Sophos said it had been unable to replicate it.
|Print article||This entry was posted by Martyn Williams on March 21, 2013 at 11:23, and is filed under Hacking, Internet, Security, Uncategorized, Websites. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site.|
about 1 month ago - 4 comments
Hot on the heels of a series of attacks that have seen its Internet connectivity severely disrupted, the DPRK appears to be adding an additional route through which it links to the global Internet. The new link began appearing in Internet addressing tables on Monday and connects from Star, the country’s sole Internet service provider,…
about 1 month ago - No comments
Investigators looking into last week’s cyber attack on South Korean banks and broadcasters have reportedly found more IP (Internet Protocol) addresses linked to the attacks, but one security expert I spoke to said that might mean nothing. The National Police Agency said it has traced some of the malicious code to addresses in the United…
about 1 month ago - No comments
The mysterious cyber attack that hit an estimated 32,000 computers at South Korean TV stations and banks last week is looking more interesting, based on the latest analysis from computer security companies. The first immediate analysis concluded that the malicious software was pretty unsophisticated, in part because it was based on a piece of malware that…
about 2 months ago - 3 comments
An apparently sophisticated and coordinated cyber attack has caused widespread disruption to computer networks and three of South Koreas largest broadcasters and two of the country’s banks. The attack first showed itself at 2pm on Wednesday when computers at KBS, MBC and YTN shutdown. Upon restarting, the computers displayed error messages saying they were unable…
about 2 months ago - 1 comment
Last week’s Internet outage that pushed North Korean websites offline for almost two days was probably caused by a problem inside the country, not on an external connection, an Internet researcher said Monday. “The impacted equipment was within North Korea,” said Doug Madory, a senior research engineer at Renesys. On Friday, he published a detailed…
about 2 months ago - 1 comment
The Internet disruption that affected North Korea’s Internet link earlier this week lasted almost two days, an Internet monitoring company said Friday. It began just before 0100 GMT on Wednesday — that’s 10am local time — and continued for much of the next day and a half. It then took several hours for traffic levels and…
about 3 months ago - No comments
File this one under business as usual. North Korea was again ranked second-to-last in Reporters Without Borders’ annual press freedom index while South Korea continued to drop down the ranking. The Paris-based press censorship watchdog ranked North Korea as 178th in its survey, just one rank above Eritrea. “Kim Jong-un’s arrival at the head of…
about 4 months ago - No comments
Well, this is a little embarrassing. The presidential transition team that Thursday blamed North Korean hackers for an attack on its press room now says there was no hacking. It all appears to have been a misunderstanding. Reporting on the reversal, Yonhap quoted an official on the team as saying the allegations stemmed from a disconnect in communications within…
about 4 months ago - 1 comment
Cyber attacks on South Korean networks suspected to have originated in North Korea are back in the news. On Thursday, Yonhap News reported that a computer server handling the Internet connection for the press rooms at South Korea’s presidential transition team had been hacked. The hack, which was not detailed, was detected during a security check by…
about 4 months ago - 2 comments
Just days away from completing a nationwide switch from analog to digital television, South Korea has announced plans to continue analog TV broadcasting in border areas so that North Koreans don’t lose access to the signals. Overseas radio and TV broadcasts are about the only free media available to North Koreans, although reception isn’t easy.…