Attacks/Breaches
3/22/2013
11:26 AM
50%
50%

South Korea Changes Story On Bank Hacks

South Korean officials now say there's no evidence that the March 20 attack against banks and television stations was launched from a Chinese IP address.

Reversing previous assertions, South Korean officials Friday said there's no evidence that the March 20 cyberattack against some of the country's banks and television stations was launched from a Chinese IP address.

"We were careless in our efforts to double-check and triple-check," Korean Communications Commission (KCC) official Lee Seung-won told reporters Friday. "We will now make announcements only if our evidence is certain."

South Korean television broadcasters KBS, MBC and YTN were affected by the data-deleting malware attacks, which crashed their networks and wiped numerous systems, although they were able to remain broadcasting. The country's Jeju, NongHyup and Shinhan banks were also attacked, and they reported that banking operations were interrupted. While Woori Bank was also targeted in the Wednesday attacks, it wasn't infected, South Korean officials told Reuters.

The KCC had previously asserted that a Chinese IP address had been used to access an update management server at the NongHyup bank and distribute "wiper" malware via the server. The China attribution carried a political subtext, as the government of North Korea has previously launched cyberattacks against South Korean systems via Chinese IP addresses.

[ For more on the South Korean bank attacks, see South Korea Bank Hacks: 7 Key Facts. ]

The Korean mea culpa reflects the fact that when trying to trace online attacks, attribution remains difficult.

Still, how did the KCC fumble its investigation? According to a statement released Friday by the KCC, the agency mistook a private IP address used by the South Korean bank NongHyup to be an IP address that had been assigned to China. But the KCC Friday said that it had traced the origin of some attacks -- which deleted data from an estimated 32,000 Windows, Unix and Linux systems across the six affected organizations -- to a NongHyup bank system, and police have seized the system's hard drive. While that system might have been the source of multiple attacks, officials noted that it could itself have been remotely infected.

The affected organizations are still working to recover from the attacks. KCC officials said that as of Friday, the Jeju and Shinhan banks had restored their networks, but reported that related efforts were still underway at NongHyup. Meanwhile, KBS, MBC and YTN by Friday had restored only 10% of their wiped systems, and said a full recovery could take weeks. According to government officials, no new related attacks have been seen.

The attacks against South Korean banks and broadcasters -- which may have been designed for no other purpose than causing chaos -- appear to have been launched using multiple attack vectors, and a KCC spokesman said that authorities have launched a "multilateral" investigation to identify "all possible infiltration routes," reported South Korea's Yonhap News Agency.

At least one of those attack vectors involved a spear-phishing email campaign, launched Tuesday, that included a malware dropper, which, if it successfully infected a targeted PC, downloaded additional malware. "On March 19, we saw the first indications of this attack, where South Korean organizations received a spam message that contained a malicious attachment," read a blog post from researchers at Trend Micro. "The message posed as coming from a bank. The attachment is actually a downloader, which downloaded nine files from several different URLs. To hide the malicious routines, a fake website is shown."

According to Trend Micro, the downloaded malware components included a Windows master boot record (MBR) wiper, as well as bash scripts able to delete the MBR of network-attached Unix and Linux systems. The Windows MBR wiper also included a logic bomb. "It is set to sleep until March 20 at 2:00 p.m.," said Trend Micro. "Upon the said date and time, the malware is activated."

FortiGuard Labs, which is part of security firm Fortinet, confirmed seeing at least two versions of the logic bomb used in attacks. "It was seen in a piece of malware sent to us by KISA [Korea Information Security Agency]," said Derek Manky, a senior security strategist at FortiGuard Labs, via email. "We detect this as W32/Kast.A!tr (Kast). We observed two variants, one with a logic bomb for March 20 @ 14:00h and one for March 20 @ 15:00h."

Attackers' use of a logic bomb explains why the South Korean banks and television stations infected by the malware all reported that their systems appeared to be disrupted beginning at about 2 p.m. local time on March 20. According to Manky, the use of a logic bomb made these attacks "a clear seek-and-destroy mission."

While South Korean officials have accused the North Korean government of launching the cyberattacks against its broadcasters and banks, a new group calling itself the Whois Team had stepped forward to claim credit for the attacks, via a defacement of the South Korean LG Electronics website, which Reuters earlier this week reported had been hacked at the same time as the South Korean banks and broadcasters.

But LG Thursday dismissed that report, saying that its systems hadn't been hacked. As a result, Richard Henderson, a threat researcher for FortiGuard Labs, told Wired Thursday that he doesn't believe that the South Korean attacks were the work of the Whois Team, whoever they are. "I firmly believe the Whois defacement was either a coincidence attack or an attempt by that group to jump on when the time bomb detonated in order to tie their names to the attacks," he said.

Manky, at FortiGuard Labs, said Friday that Henderson's theory is unconfirmed, "as analysis is still under investigation with KISA." But he noted that the defacement didn't relate to any of the information included in the attacks, such as the use of the words "hastasi" or "principes" -- both of which refer to Roman legions -- to overwrite the MBR of infected systems.

Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Les Moor
50%
50%
Les Moor,
User Rank: Apprentice
3/24/2013 | 4:21:17 PM
re: South Korea Changes Story On Bank Hacks
Hmmm. N. Korea rattles saber and threatens S. Korea. China makes it clear that it won't be backing N. Korea's childish behavior. S. Korea decides being friends with China is not a bad idea. Surprised?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-1793
Published: 2014-12-25
rendering/svg/RenderSVGResourceFilter.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted SVG document that leads to a "stale pointer."

CVE-2011-1794
Published: 2014-12-25
Integer overflow in the FilterEffect::copyImageBytes function in platform/graphics/filters/FilterEffect.cpp in the SVG filter implementation in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified ...

CVE-2011-1795
Published: 2014-12-25
Integer underflow in the HTMLFormElement::removeFormElement function in html/HTMLFormElement.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted HTML document con...

CVE-2011-1796
Published: 2014-12-25
Use-after-free vulnerability in the FrameView::calculateScrollbarModesForLayout function in page/FrameView.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted JavaS...

CVE-2011-1798
Published: 2014-12-25
rendering/svg/RenderSVGText.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 does not properly perform a cast of an unspecified variable during an attempt to handle a block child, which allows remote attackers to cause a denial of service (application crash) or possibly have unknown othe...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.