11:26 AM

South Korea Changes Story On Bank Hacks

South Korean officials now say there's no evidence that the March 20 attack against banks and television stations was launched from a Chinese IP address.

Reversing previous assertions, South Korean officials Friday said there's no evidence that the March 20 cyberattack against some of the country's banks and television stations was launched from a Chinese IP address.

"We were careless in our efforts to double-check and triple-check," Korean Communications Commission (KCC) official Lee Seung-won told reporters Friday. "We will now make announcements only if our evidence is certain."

South Korean television broadcasters KBS, MBC and YTN were affected by the data-deleting malware attacks, which crashed their networks and wiped numerous systems, although they were able to remain broadcasting. The country's Jeju, NongHyup and Shinhan banks were also attacked, and they reported that banking operations were interrupted. While Woori Bank was also targeted in the Wednesday attacks, it wasn't infected, South Korean officials told Reuters.

The KCC had previously asserted that a Chinese IP address had been used to access an update management server at the NongHyup bank and distribute "wiper" malware via the server. The China attribution carried a political subtext, as the government of North Korea has previously launched cyberattacks against South Korean systems via Chinese IP addresses.

[ For more on the South Korean bank attacks, see South Korea Bank Hacks: 7 Key Facts. ]

The Korean mea culpa reflects the fact that when trying to trace online attacks, attribution remains difficult.

Still, how did the KCC fumble its investigation? According to a statement released Friday by the KCC, the agency mistook a private IP address used by the South Korean bank NongHyup to be an IP address that had been assigned to China. But the KCC Friday said that it had traced the origin of some attacks -- which deleted data from an estimated 32,000 Windows, Unix and Linux systems across the six affected organizations -- to a NongHyup bank system, and police have seized the system's hard drive. While that system might have been the source of multiple attacks, officials noted that it could itself have been remotely infected.

The affected organizations are still working to recover from the attacks. KCC officials said that as of Friday, the Jeju and Shinhan banks had restored their networks, but reported that related efforts were still underway at NongHyup. Meanwhile, KBS, MBC and YTN by Friday had restored only 10% of their wiped systems, and said a full recovery could take weeks. According to government officials, no new related attacks have been seen.

The attacks against South Korean banks and broadcasters -- which may have been designed for no other purpose than causing chaos -- appear to have been launched using multiple attack vectors, and a KCC spokesman said that authorities have launched a "multilateral" investigation to identify "all possible infiltration routes," reported South Korea's Yonhap News Agency.

At least one of those attack vectors involved a spear-phishing email campaign, launched Tuesday, that included a malware dropper, which, if it successfully infected a targeted PC, downloaded additional malware. "On March 19, we saw the first indications of this attack, where South Korean organizations received a spam message that contained a malicious attachment," read a blog post from researchers at Trend Micro. "The message posed as coming from a bank. The attachment is actually a downloader, which downloaded nine files from several different URLs. To hide the malicious routines, a fake website is shown."

According to Trend Micro, the downloaded malware components included a Windows master boot record (MBR) wiper, as well as bash scripts able to delete the MBR of network-attached Unix and Linux systems. The Windows MBR wiper also included a logic bomb. "It is set to sleep until March 20 at 2:00 p.m.," said Trend Micro. "Upon the said date and time, the malware is activated."

FortiGuard Labs, which is part of security firm Fortinet, confirmed seeing at least two versions of the logic bomb used in attacks. "It was seen in a piece of malware sent to us by KISA [Korea Information Security Agency]," said Derek Manky, a senior security strategist at FortiGuard Labs, via email. "We detect this as W32/Kast.A!tr (Kast). We observed two variants, one with a logic bomb for March 20 @ 14:00h and one for March 20 @ 15:00h."

Attackers' use of a logic bomb explains why the South Korean banks and television stations infected by the malware all reported that their systems appeared to be disrupted beginning at about 2 p.m. local time on March 20. According to Manky, the use of a logic bomb made these attacks "a clear seek-and-destroy mission."

While South Korean officials have accused the North Korean government of launching the cyberattacks against its broadcasters and banks, a new group calling itself the Whois Team had stepped forward to claim credit for the attacks, via a defacement of the South Korean LG Electronics website, which Reuters earlier this week reported had been hacked at the same time as the South Korean banks and broadcasters.

But LG Thursday dismissed that report, saying that its systems hadn't been hacked. As a result, Richard Henderson, a threat researcher for FortiGuard Labs, told Wired Thursday that he doesn't believe that the South Korean attacks were the work of the Whois Team, whoever they are. "I firmly believe the Whois defacement was either a coincidence attack or an attempt by that group to jump on when the time bomb detonated in order to tie their names to the attacks," he said.

Manky, at FortiGuard Labs, said Friday that Henderson's theory is unconfirmed, "as analysis is still under investigation with KISA." But he noted that the defacement didn't relate to any of the information included in the attacks, such as the use of the words "hastasi" or "principes" -- both of which refer to Roman legions -- to overwrite the MBR of infected systems.

Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Les Moor
Les Moor,
User Rank: Apprentice
3/24/2013 | 4:21:17 PM
re: South Korea Changes Story On Bank Hacks
Hmmm. N. Korea rattles saber and threatens S. Korea. China makes it clear that it won't be backing N. Korea's childish behavior. S. Korea decides being friends with China is not a bad idea. Surprised?
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
Securing Social Media: National Safety, Privacy Concerns
Kelly Sheridan, Staff Editor, Dark Reading,  4/19/2018
Firms More Likely to Tempt Security Pros With Big Salaries than Invest in Training
Sara Peters, Senior Editor at Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.