More information on the South Korean cyber attack

The mysterious cyber attack that hit an estimated 32,000 computers at South Korean TV stations and banks last week is looking more interesting, based on the latest analysis from computer security companies.

The first immediate analysis concluded that the malicious software was pretty unsophisticated, in part because it was based on a piece of malware that has been known for a year or so and because the commands in the code were not hidden.

That still seems to be true, but more data about the malware is coming out as researchers spend more time with it.

Fortinet on Friday said there were two different pieces of software that, once either got on a machine, who instal one of four routines that ultimately wiped the hard disk. The wiper programs were triggered by the absence of a file or certain memory data or by the current time.

It’s that latter one that triggered the attack at 2pm, as can be seen in his piece of code:


That software would trigger at 2pm and write “HASTATI” over the hard disk directory, thus rendering it useless. A second wiper triggered at 3pm local time and wrote “PR!NCPES” over the disk content.

But the most interesting information from Fortinet came in an interview with The Guardian.

Guillaume Lovet, threat response manager for Fortinet in Paris, said: “In examining some of the code for the malware responsible for the attack, we’ve found that it refers to a RAT – a remote access tool. That’s not a phrase a normal virus writer would use. That’s more like a professional.” He explained: “My feeling is that the author of this is not a typical virus writer. So it could be a government-led attack.”

But, he added, “if it is, then it’s the least sophisticated attack that we have seen in years.” — The Guardian, March 22, 2013

So, the source of the attack is becoming more interesting.

Pretty quickly South Korean investigators announced they had traced the source of the attack to a computer in China, but a day later had to retract that information.

The Korea Communications Commission had found a Chinese Internet address as the source of the infection, although said a day later that the address was, in fact, one used by Nonghyup Bank. On the Internet, the address was pointing to a computer in China, but Nonghyup had reused it on it’s internal network, reported The AP in Seoul.

Meanwhile, South Korea’s AhnLab said the software was distributed to computers in the companies through patch management servers. These are in-company computers that distribute software patches to computers in the organizations. IDs and passwords for the servers had been stolen to provide access.

Once the attackers had access to the patch management system they used it to distribute the malware much like the system distributes new software and software updates,” said AhnLab.

The company didn’t provide any guesses for the source of the attack — but, somewhat unusually, they were happy to have someone else do it for them. In a press release, the company included speculation that the hack was based in North Korea.

The malware code for the attack was likely developed by Chinese sources and used by hackers from North Korea, according to Ryou Jae Cheol, a professor of computer engineering and securities at Chungnam National University in a statement to BusinessWeek Magazine. — AhnLab press release, March 22, 2013.

Here’s the actual quote:

“Discovering that the code was from China makes it more likely that the attack was from North Korea, because a lot of North Korean hackers operate there,” said Ryou Jae Cheol, a professor of computer engineering and securities at Chungnam National University. “Who else would be making this kind of attack at this scale and timing other than North Korea?” — Bloomberg Businessweek, March 21, 2013.

The professor is responding to the Korea Communications Commission’s announcement that the attack was traced to a Chinese Internet address, something that’s now been corrected. That correction went out about 12 hours before AhnLab issued its press release at 2:21pm EDT on Friday.

North Korea hasn’t directly said anything about the attacks in South Korea or the various theories raised in Seoul and the global media that it might be behind the incident.

But on March 20 — the day Seoul was hit by the attacks — it did choose to complain about speculation that an Internet outage that took its websites offline the prior week was part of a domestic plan.

It also rubbished speculation that it might launch retaliatory attacks on South Korea — hours before it would be accused of just that.

Here’s the full KCNA report:

Pyongyang, March 20 (KCNA) — Some days ago, leading internet websites of the DPRK were hit hard by virus attacks. The south Korean puppet regime is letting its paid experts spread the rumor that “it is likely to be a charade orchestrated by the north”. The ultra-right conservative media are hyping this rumor by echoing their assertion.
Minju Joson Wednesday in a bylined commentary observes in this regard:
It is as clear as a pikestaff who mounted the cyber attacks as it was timed to coincide with the nuclear war exercises staged by the U.S. and south Korean warmongers against the DPRK.
The south Korean regime is spreading the rumor because of its guilty conscience.
What merits a serious attention is that it is letting loose even sophism that a vicious code with function of Ddos attack which they suspect it is “made by the north” is detected without let-up, “the north is going to attack main facilities with cyber terror” and that “the north may make a retaliatory provocation”. On Mar. 15, it “served such warning that the north may cause a Ddos attack in the light of the fact that it targets mainly websites of military generals different from the attack made to gather financial information, etc.” This propaganda is aimed at implanting anti-DPRK hostility into the minds of south Koreans and justifying the policy for confrontation with fellow countrymen and war. This goes to prove that the cyber attacks on the DPRK were perpetrated according to the carefully worked out scenario in advance.
The rumor floated by the south Korean regime about cyber attacks on the DPRK is little short of another anti-DPRK farce orchestrated by it with the backing of the U.S. to secure a pretext for igniting a war against the DPRK.
The ceaseless ridiculous plots hatched by the puppet forces for a war of aggression against the DPRK would only bring into bolder relief their true colors and precipitate their self-destruction.

An affiliate of 38 North