Attacks/Breaches
4/10/2013
11:13 AM
50%
50%

North Korea Behind Bank Malware, South Korea Says

Evidence ties North Korean cyber-espionage unit to two waves of attacks on banks and broadcasters, South Korean officials say.

The March wiper malware attack that deleted data at South Korean banks and broadcasters was launched by a North Korean cyber-espionage unit, South Korean government officials claimed Wednesday.

"An analysis of cyber-terror access logs, malicious code and North Korean intelligence showed that the attack methods were similar to those used by the North's Reconnaissance General Bureau, which has led hacking attacks against South Korea," said Lee Seung-won, an official at South Korea's Ministry of Science, ICT & Future Planning, at a Wednesday press conference, reported South Korea's news agency, Yonhap.

The highly targeted malware attacks infected systems at South Korean banks Jeju, NongHyup and Shinhan, and their insurance affiliates, as well as South Korean broadcasters KBS, MBC and YTN. The attacks occurred on March 20, although systems in some cases had been previously infected with malware that included a logic bomb set for that date. As a result of the attacks, some online and mobile banking operations, as well as ATMs, temporarily froze. The attack is now believed to have compromised a total of 48,000 PCs, revising earlier estimates of 32,000 PCs.

[ Tension is escalating between North and South Korea. See South Korea Charges Alleged Hackers. ]

According to Yonhap, South Korean officials further disclosed Wednesday that a second wave of attacks on March 25 and 26 targeted 58 servers and 14 websites -- including sites operated by North Korean defectors -- that are opposed to the North Korean regime in Pyongyang headed by 30-year old Kim Jong-un.

The South Korean government probe further found that planning for the March 2013 malware campaign began in June 2012, if not earlier. "North Korean PCs first used local infiltration routes to test the attack orders in February" of this year, said Chun Kil-soo, head of the Korea Internet Security Center at the government's Korea Internet & Security Agency. For the attacks, at least six PCs were used to distribute 76 different types of malware, 18 of which had previously been seen only in cyber attacks launched by North Korea.

Officials said South Korean networks targeted in the March attacks had been directly accessed at least 13 times from systems known to be operated by North Korea. Of the 49 "infiltration routes" government investigators identified, 25 were via networks in South Korea and 24 were from outside the country -- and 22 of those foreign IP addresses had been used since 2009 by Pyongyang to launch cyber attacks.

In the wake of the malware attacks, a Korean Communications Commission official accused North Korea of launching at least some of the attacks via an IP address in China. But South Korean government officials quickly recanted that attribution, saying they'd misread a private IP address assigned to NongHyup bank as being registered in China, and that it was too early to assign blame.

In fact, at least one system at NongHyup was used to distribute the attacks, which deleted data from Windows, Unix and Linux systems. According to South Korean antivirus vendor AhnLab's Security Emergency Response Center (ASEC), at least some of the attacks were distributed via AhnLab's enterprise patch management software at the targeted sites, which attackers accessed using legitimate -- but stolen -- usernames and passwords. ASEC's research found that "once the attackers had access to the patch management system they used it to distribute the malware much like the system distributes new software and software updates."

South Korean officials have claimed that a North Korean cyber-warfare unit -- dubbed "No. 121" -- includes roughly 3,000 personnel who have been trained in malware development and network infiltration.

The results of South Korea's wiper malware probe were detailed on the same day that South Korea's foreign minister, Yun Byung-se, warned that North Korea had placed a mid-range Musudan ballistic missile on its east coast. "According to intelligence obtained by our side and the U.S., the possibility of a missile launch by North Korea is very high," Yun told a parliamentary hearing, saying a launch of one or more missiles could happen "any time from now." The Musudan missile is believed to have a range of 3,500 kilometers, meaning it could strike not only South Korea and Japan but also Guam.

In response to the missile repositioning, American and South Korean troops Wednesday increased their alert levels, reported The New York Times. On a related note, the White House earlier this month announced that an anti-missile system scheduled to be deployed in Guam in 2015 -- called Thaad, for Terminal High Altitude Area Defense -- would instead be deployed by the end of the month.

Easily overlooked vulnerabilities could put your data and business at risk. Also in the new, all-digital 10 Web Threats special issue of Dark Reading: How hackers compromised an iOS developers' website to exploit Java plug-in vulnerabilities and attack Apple, Facebook, Microsoft and Twitter. (Free with registration.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Computer Repair Whiteplains NY
50%
50%
Computer Repair Whiteplains NY,
User Rank: Apprentice
4/11/2013 | 3:03:38 PM
re: North Korea Behind Bank Malware, South Korea Says
It is time to sharpen the Internet blades against North Korea.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.