Loud Data-Annihilation Cyberattacks Hit South Korean Banks, Media Outlets

  /     /     /  
Publicated : 22/11/2024   Category : security


Loud Data-Annihilation Cyberattacks Hit South Korean Banks, Media Outlets


Malware that wiped hard drives of infected machines and attached drives may have been built using GonDad exploit kit



A wave of cyberattacks that targeted South Korean banks and media networks today employed destructive malware that wiped the hard drives and attached drives of infected machines, crippling the organizations for hours as data was lost and the infected machines were unable to reboot.
Details of the attacks are still coming to light, but security experts have gotten a close-up look at the malware that was used in the attacks. One theory being studied by Symantec and other security firms is whether the malware initially was spread via drive-by attacks, specifically with a waterhole strategy that infected websites that users at those organizations would frequent, but Symantec says it has not confirmed that vector. Security firm Avast, meanwhile, suggests that the attack originated from a legitimate Korean website, Korea Software Property Right Council (SPC), that housed the malware.
Reports came out of South Korea today that computer screens went blank at 2 p.m. local time/5:00 a.m. GMT. The machines were defaced with a message from The WhoIs Team warning that the attackers had all of the victims user accounts and data -- and that they had deleted the data. Well be back soon, the messages also said. Television media outlets YTN, MBC, and KBS were targeted, as were two major banks, Shinhan Bank and NongHyup Bank, according to
Reuters
. Other reports said Korean ISP LG U+, which provides services to some of the victims, also was breached in the attacks.
South Korean military and government networks werent infected, but the Korean army raised its alert level amid worries that North Korea was behind the attacks given the escalating tensions between the nations. North Korea several days ago claimed that South Korea and the U.S. were behind attacks that knocked several of its websites offline for close to two days -- all of that in the wake of recent nuclear threats from North Korea, as well as
drones and rocket attack exercises conducted by North Korea
.
While the data-wiping attack against South Korean banks and media outlets has the earmarks of hacktivists, attribution is difficult. So far, theres no confirmation of a larger cyberwar campaign by North Korea or another nation, but not surprisingly, that was one of the initial concerns when the attacks hit. The signs could be mere false flags as well, aimed to throw investigators off the trail of the real attackers.
Another theory is that China is behind the attacks on South Korea. That was the
conclusion
of security firm Avast after studying the malware and finding several Chinese words and other clues in the malware. The attack probably originates in China. Aside from location of the final (laoding521.eicp.net), which is in China, analysis of both 2nd and 3rd stage executable makes us think so. First of all, file names like tongji (statistics), tong (connect), pao (run) are definitely Chinese, according to its blog post today, pointing out some Chinese words in the code.
Regardless of who is behind them, the attacks resemble the one that hit Saudi Aramco last year, wiping data from some 10,000 machines and crippling the companys internal network, which is believed to have used the data-destroying Shamoon malware. Even so, the malware used in the South Korean attacks is different from Shamoon in some ways, says Liam O Murchu, manager of operations at Symantec Security Response. It operates differently ... but its still destructive, Murchu says.
It was specifically written for Korean targets, for instance, and checks for Korean antivirus products to disable, Murchu says. In addition, it overwrites the Master Boot Record (MBR), wipes the contents of the hard disk, and has the ability to do the same on any attached or mapped drives. It also renders the machine unusable without the MBR and drive. Symantec has named the malware Trojan Horse/Trojan.Jokra and WS.Reputation.1.
It is likely that the group that is called Whois Team is a new one [and] just decided to deface the LG-owned website after they watched the news and they found about the attacks affecting the banks and media systems, says Jaime Blasco, labs manager at Alien Vault Labs. Another possibility is that a sophisticated group of attackers gained access to the banks and media systems, performed whatever actions they wanted to do, and then wiped all the systems to clean their tracks.
Or the attackers merely wanted to create panic and financial loss to the victims, he says. The LG-owned website hack can also be a diversionary tactic or false flag operation to give false data about who is behind the attacks, Blasco says.
The malware may have been created using the GonDad exploit kit available on the black market, based on the filenames used in the attack, he says, although thats just a theory for now.
I would say that the attackers could have build/buy access to a botnet that had infected systems from the affected entities -- media and banking, etc. -- and then they could have gained access to the network, get admin credentials, and executed the wiper payload, he says.
[Old-school but painful data-destroying malware attacks in the Middle East a red flag to revisit incident response, recovery. See
The Data-Annihilation Attack Is Back
.]
Obviously, the attacks were designed to be loud -- the victims are broadcasting companies and banks. This makes us think we are not dealing with a serious, determined adversary but script kiddies or hacktivists looking for quick fame, Kaspersky lab analysts
wrote in a blog post today
.
Kaspersky analysts say its hard to tell whether this was an isolated attack or part of a larger cyberwar initiative. If a nation state is NOT behind these attacks, then its just cyber-terrorism; cyberwar requires a nation state to be behind the attacks. In general, if the attacks target critical infrastructure, they can be considered cyber-terrorism. According to the definition of critical infrastructure, banks can be considered as such, therefore, this counts as a cyberterrorism attack, they said. Previous incidents like Stuxnet and Wiper were part of an ongoing cyberwar campaign that went for years, although in a more stealthy fashion.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Loud Data-Annihilation Cyberattacks Hit South Korean Banks, Media Outlets