More information on the South Korean cyber attack
The mysterious cyber attack that hit an estimated 32,000 computers at South Korean TV stations and banks last week is looking more interesting, based on the latest analysis from computer security companies.
The first immediate analysis concluded that the malicious software was pretty unsophisticated, in part because it was based on a piece of malware that has been known for a year or so and because the commands in the code were not hidden.
That still seems to be true, but more data about the malware is coming out as researchers spend more time with it.
Fortinet on Friday said there were two different pieces of software that, once either got on a machine, who instal one of four routines that ultimately wiped the hard disk. The wiper programs were triggered by the absence of a file or certain memory data or by the current time.
It’s that latter one that triggered the attack at 2pm, as can be seen in his piece of code:
That software would trigger at 2pm and write “HASTATI” over the hard disk directory, thus rendering it useless. A second wiper triggered at 3pm local time and wrote “PR!NCPES” over the disk content.
But the most interesting information from Fortinet came in an interview with The Guardian.
Guillaume Lovet, threat response manager for Fortinet in Paris, said: “In examining some of the code for the malware responsible for the attack, we’ve found that it refers to a RAT – a remote access tool. That’s not a phrase a normal virus writer would use. That’s more like a professional.” He explained: “My feeling is that the author of this is not a typical virus writer. So it could be a government-led attack.”
But, he added, “if it is, then it’s the least sophisticated attack that we have seen in years.” — The Guardian, March 22, 2013
So, the source of the attack is becoming more interesting.
Pretty quickly South Korean investigators announced they had traced the source of the attack to a computer in China, but a day later had to retract that information.
The Korea Communications Commission had found a Chinese Internet address as the source of the infection, although said a day later that the address was, in fact, one used by Nonghyup Bank. On the Internet, the address was pointing to a computer in China, but Nonghyup had reused it on it’s internal network, reported The AP in Seoul.
Meanwhile, South Korea’s AhnLab said the software was distributed to computers in the companies through patch management servers. These are in-company computers that distribute software patches to computers in the organizations. IDs and passwords for the servers had been stolen to provide access.
“Once the attackers had access to the patch management system they used it to distribute the malware much like the system distributes new software and software updates,” said AhnLab.
The company didn’t provide any guesses for the source of the attack — but, somewhat unusually, they were happy to have someone else do it for them. In a press release, the company included speculation that the hack was based in North Korea.
The malware code for the attack was likely developed by Chinese sources and used by hackers from North Korea, according to Ryou Jae Cheol, a professor of computer engineering and securities at Chungnam National University in a statement to BusinessWeek Magazine. — AhnLab press release, March 22, 2013.
Here’s the actual quote:
“Discovering that the code was from China makes it more likely that the attack was from North Korea, because a lot of North Korean hackers operate there,” said Ryou Jae Cheol, a professor of computer engineering and securities at Chungnam National University. “Who else would be making this kind of attack at this scale and timing other than North Korea?” — Bloomberg Businessweek, March 21, 2013.
The professor is responding to the Korea Communications Commission’s announcement that the attack was traced to a Chinese Internet address, something that’s now been corrected. That correction went out about 12 hours before AhnLab issued its press release at 2:21pm EDT on Friday.
North Korea hasn’t directly said anything about the attacks in South Korea or the various theories raised in Seoul and the global media that it might be behind the incident.
But on March 20 — the day Seoul was hit by the attacks — it did choose to complain about speculation that an Internet outage that took its websites offline the prior week was part of a domestic plan.
It also rubbished speculation that it might launch retaliatory attacks on South Korea — hours before it would be accused of just that.
Here’s the full KCNA report:
Pyongyang, March 20 (KCNA) — Some days ago, leading internet websites of the DPRK were hit hard by virus attacks. The south Korean puppet regime is letting its paid experts spread the rumor that “it is likely to be a charade orchestrated by the north”. The ultra-right conservative media are hyping this rumor by echoing their assertion.
Minju Joson Wednesday in a bylined commentary observes in this regard:
It is as clear as a pikestaff who mounted the cyber attacks as it was timed to coincide with the nuclear war exercises staged by the U.S. and south Korean warmongers against the DPRK.
The south Korean regime is spreading the rumor because of its guilty conscience.
What merits a serious attention is that it is letting loose even sophism that a vicious code with function of Ddos attack which they suspect it is “made by the north” is detected without let-up, “the north is going to attack main facilities with cyber terror” and that “the north may make a retaliatory provocation”. On Mar. 15, it “served such warning that the north may cause a Ddos attack in the light of the fact that it targets mainly websites of military generals different from the attack made to gather financial information, etc.” This propaganda is aimed at implanting anti-DPRK hostility into the minds of south Koreans and justifying the policy for confrontation with fellow countrymen and war. This goes to prove that the cyber attacks on the DPRK were perpetrated according to the carefully worked out scenario in advance.
The rumor floated by the south Korean regime about cyber attacks on the DPRK is little short of another anti-DPRK farce orchestrated by it with the backing of the U.S. to secure a pretext for igniting a war against the DPRK.
The ceaseless ridiculous plots hatched by the puppet forces for a war of aggression against the DPRK would only bring into bolder relief their true colors and precipitate their self-destruction.
|Print article||This entry was posted by Martyn Williams on March 24, 2013 at 18:23, and is filed under Hacking, Security. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site.|
No comments yet.
No trackbacks yet.
about 3 weeks ago - No comments
Malicious software disguised as a computer game could have infected around 20,000 smartphones in South Korea, according to South Korean media reports quoting the country’s spy agency. The games were offered through South Korean sites between May 19 and September 16 this year, the National Intelligence Service said in a report to parliament. The apps have since been removed…
about 3 months ago - No comments
As a computer-based war-game, the Ulchi Freedom Guardian exercise that begins this week in South Korea requires lots and lots of computers. In pictures released Thursday by the U.S. Department of Defense, some of those computers and the complexity of the set-up can be seen. The images and a video show the inside of the…
about 6 months ago - 2 comments
North Korea strongly denied again on Sunday having anything to do with unmanned aircraft discovered crashed on the South Korean side of the inter-Korean border. Last week, the South Korean government said it had concluded an investigation into the incident and concluded the three drones were launched from North Korea. Among its evidence, Seoul said…
about 10 months ago - 1 comment
A recently-launched iPhone app that delivers articles from the Korean Central News Agency to iPhones and iPads has been banned in South Korea. The app, iJuche, was developed and published in late 2013 and was highlighted on NorthKoreaTech earlier this week. That publicity was apparently enough to get it blocked. “I just got a call…
about 11 months ago - 1 comment
A South Korean businessman has been arrested by local authorities on suspicion of passing classified information and video and audio system technology to North Korea, Yonhap reported on Saturday. The report said the suspect, identified only as a 54-year-old man called “Kang,” worked with agents of North Korea’s Reconnaissance General Bureau to pass the information.…
about 1 year ago - No comments
Despite living in one of the most wired societies in the world, South Korean Internet users enjoy a “partly free” Internet due to government censorship of content, according to the results of a global survey on Internet freedom. Censorship of content, which includes many websites that carry North Korean content, has shot up in recent…
about 1 year ago - 1 comment
South Korean defense officials plan to soon launch a high-tech blimp just south of the disputed maritime border with North Korea in November to get a better look into the neighboring country, according to a report in Stars and Stripes. The airship will hover over the island group that includes Yeonpyong, which is the island that was…
about 1 year ago - 1 comment
The South Korean government says it suspects hackers in North Korea were behind a series of cyber attacks last month. The attacks took place on June 25, the anniversary of the beginning of the Korean war, and continued for several days. When they began, several South Korean government and private-run websites were defaced or taken…
about 1 year ago - No comments
The DPRK is loudly protesting the preliminary results of a South Korean investigation that found it was behind widespread computer disruption that hit several TV stations and banks on March 20. [Updated, see below.] The computer attacks wiped clean the hard disk drives of around 48,000 personal computers and servers inside broadcasters KBS, MBC and YTN, and the…
about 1 year ago - No comments
Investigators looking into last week’s cyber attack on South Korean banks and broadcasters have reportedly found more IP (Internet Protocol) addresses linked to the attacks, but one security expert I spoke to said that might mean nothing. The National Police Agency said it has traced some of the malicious code to addresses in the United…