South Korean Bank Hackers Target U.S. Military Secrets

  /     /     /  
Publicated : 22/11/2024   Category : security


South Korean Bank Hackers Target U.S. Military Secrets


Wiper malware APT gang has been traced to four-year military espionage campaign.



(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
The wiper malware attack against South Korean banks and broadcasters in March 2013 has been traced to an advanced persistent threat (APT) gang thats been targeting South Korean and U.S. military secrets for at least four years.
The March attacks, which culminated in the master boot record of thousands of South Korean PCs being
deleted by attackers
, has been dubbed Dark Seoul. But according to a new
research report
published by McAfee, Dark Seoul was just one of many attacks launched as part of a long-running campaign known as Operation Troy. That name was inspired by the frequency with which the word Troy features in the compile path strings of the groups malware.
The prime suspect group in these attacks is the New Romantic Cyber Army Team, which makes frequent use of Roman and classical terms in their code, said McAfees report. McAfee said that after identifying similarities between malware variants used in disparate attacks -- including 2011
distributed denial-of-service (DDoS) attacks
-- it finally identified what appears to be the gangs raison dêtre.
[ How deep does U.S. hacking go? Read
Snowden Says U.S. Hacking Chinese Civilians Since 2009
. ]
The missing element was military espionage, said McAfee threat researcher Ryan Sherstobitoff in a
blog post
. One of the primary goals of this group was a covert military spying operation that attempted to target military forces in South Korea, including
U.S. Forces Korea
.
New Romantic Cyber Army Team had already claimed credit for the March wiper malware attacks, saying it had erased 180,000 South Korean PCs, in contrast to official South Korean government estimates, which said that
about 32,000 PCs
were affected. The hackers also boasted that prior to wiping the systems, theyd stolen information on 2.5 million members of an organization -- the name of which was blacked out by McAfee -- plus content management system information pertaining to 50 million people, as well as unspecified bank information.
McAfee said that the groups claims that it stole massive amounts of data from infected PCs appeared to be true, because in the weeks prior to the
March mass wiping of master boot records
, the attackers appeared to have already infected the systems and enjoyed unrestricted access. That would have allowed them ample time to mine PCs for interesting information. What of the WhoIs Team, which also
claimed credit for the March wiper attacks
? McAfee said that a wiper file traced to that group shared similarities with wiper malware used in New Romantic Cyber Army Team attacks. Still, its unclear if the WhoIs Team is simply the same group, or another gang using repurposed malware components.
Overall, McAfee said it has tied New Romantic Cyber Army Team to Operation Troy attacks that occurred from 2009 to 2013. Malware used by the group, for example, appeared to have been employed in the 2011
Ten Days of Rain DDoS attacks
against 40 sites affiliated with South Korean government, including U.S. Forces Korea and the U.S. Air Force Base in Kunsan, South Korea, as well as in other attacks that occurred in 2010, 2011 and 2013.
On June 25, meanwhile, the same group launched an attack against South Korean government and news websites, in part by distributing a modified installation file for the SimDisk file-sharing and storage service. That malware was distributed via the official SimDisk website, which pushes automatic updates to client software. Attackers hacked into the site and made it push not just a copy of the legitimate software, SimDisk.exe, to users, but also a disguised Trojan downloader, SimDiskup.exe.
That downloader
connected to the Tor network
to obtain a Trojan application called Castov that included a JPEG file that contains a timestamp used by Castov to synchronize attacks, said a Symantec Security Response
blog post
. That timestamp detailed when all Castov-infected clients should send DNS requests to a South Korean government website, thus creating a DDoS attack.
Is the New Romantic Cyber Army Team simply a front for hackers in the employ of Pyongyang? According to South Korean cybersecurity experts, the March 2013 wiper attacks were
traced to an IP address in the North Korean capital
, which was revealed after the attacker experienced a technical glitch.
But the Troy-wielding gang has often launched their attacks under the hacktivism banner -- and the March wiper attacks, which included stealing data and holding it ransom, would appear to fit that mold. But McAfees Sherstobitoff said thats likely just a ruse. The Dark Seoul adversaries show a consistent pattern of psychological warfare that includes throwing off investigators by blaming the attacks on hacktivism, he said. Both the March and June events share this feature.
Regardless of nomenclature, the attackers appear to have a grudge against both South Korea and the United States. For example, the date of the most recent attacks, June 25, was the 63rd anniversary of the start of the Korean War. Conducting DDoS attacks and hard disk wiping on key historical dates is not new for the Dark Seoul gang, said Symantec. They previously conducted DDoS and wiping attacks on the U.S. Independence Day as well.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
South Korean Bank Hackers Target U.S. Military Secrets