Attacks/Breaches
3/22/2013
11:26 AM
50%
50%

South Korea Changes Story On Bank Hacks

South Korean officials now say there's no evidence that the March 20 attack against banks and television stations was launched from a Chinese IP address.

Reversing previous assertions, South Korean officials Friday said there's no evidence that the March 20 cyberattack against some of the country's banks and television stations was launched from a Chinese IP address.

"We were careless in our efforts to double-check and triple-check," Korean Communications Commission (KCC) official Lee Seung-won told reporters Friday. "We will now make announcements only if our evidence is certain."

South Korean television broadcasters KBS, MBC and YTN were affected by the data-deleting malware attacks, which crashed their networks and wiped numerous systems, although they were able to remain broadcasting. The country's Jeju, NongHyup and Shinhan banks were also attacked, and they reported that banking operations were interrupted. While Woori Bank was also targeted in the Wednesday attacks, it wasn't infected, South Korean officials told Reuters.

The KCC had previously asserted that a Chinese IP address had been used to access an update management server at the NongHyup bank and distribute "wiper" malware via the server. The China attribution carried a political subtext, as the government of North Korea has previously launched cyberattacks against South Korean systems via Chinese IP addresses.

[ For more on the South Korean bank attacks, see South Korea Bank Hacks: 7 Key Facts. ]

The Korean mea culpa reflects the fact that when trying to trace online attacks, attribution remains difficult.

Still, how did the KCC fumble its investigation? According to a statement released Friday by the KCC, the agency mistook a private IP address used by the South Korean bank NongHyup to be an IP address that had been assigned to China. But the KCC Friday said that it had traced the origin of some attacks -- which deleted data from an estimated 32,000 Windows, Unix and Linux systems across the six affected organizations -- to a NongHyup bank system, and police have seized the system's hard drive. While that system might have been the source of multiple attacks, officials noted that it could itself have been remotely infected.

The affected organizations are still working to recover from the attacks. KCC officials said that as of Friday, the Jeju and Shinhan banks had restored their networks, but reported that related efforts were still underway at NongHyup. Meanwhile, KBS, MBC and YTN by Friday had restored only 10% of their wiped systems, and said a full recovery could take weeks. According to government officials, no new related attacks have been seen.

The attacks against South Korean banks and broadcasters -- which may have been designed for no other purpose than causing chaos -- appear to have been launched using multiple attack vectors, and a KCC spokesman said that authorities have launched a "multilateral" investigation to identify "all possible infiltration routes," reported South Korea's Yonhap News Agency.

At least one of those attack vectors involved a spear-phishing email campaign, launched Tuesday, that included a malware dropper, which, if it successfully infected a targeted PC, downloaded additional malware. "On March 19, we saw the first indications of this attack, where South Korean organizations received a spam message that contained a malicious attachment," read a blog post from researchers at Trend Micro. "The message posed as coming from a bank. The attachment is actually a downloader, which downloaded nine files from several different URLs. To hide the malicious routines, a fake website is shown."

According to Trend Micro, the downloaded malware components included a Windows master boot record (MBR) wiper, as well as bash scripts able to delete the MBR of network-attached Unix and Linux systems. The Windows MBR wiper also included a logic bomb. "It is set to sleep until March 20 at 2:00 p.m.," said Trend Micro. "Upon the said date and time, the malware is activated."

FortiGuard Labs, which is part of security firm Fortinet, confirmed seeing at least two versions of the logic bomb used in attacks. "It was seen in a piece of malware sent to us by KISA [Korea Information Security Agency]," said Derek Manky, a senior security strategist at FortiGuard Labs, via email. "We detect this as W32/Kast.A!tr (Kast). We observed two variants, one with a logic bomb for March 20 @ 14:00h and one for March 20 @ 15:00h."

Attackers' use of a logic bomb explains why the South Korean banks and television stations infected by the malware all reported that their systems appeared to be disrupted beginning at about 2 p.m. local time on March 20. According to Manky, the use of a logic bomb made these attacks "a clear seek-and-destroy mission."

While South Korean officials have accused the North Korean government of launching the cyberattacks against its broadcasters and banks, a new group calling itself the Whois Team had stepped forward to claim credit for the attacks, via a defacement of the South Korean LG Electronics website, which Reuters earlier this week reported had been hacked at the same time as the South Korean banks and broadcasters.

But LG Thursday dismissed that report, saying that its systems hadn't been hacked. As a result, Richard Henderson, a threat researcher for FortiGuard Labs, told Wired Thursday that he doesn't believe that the South Korean attacks were the work of the Whois Team, whoever they are. "I firmly believe the Whois defacement was either a coincidence attack or an attempt by that group to jump on when the time bomb detonated in order to tie their names to the attacks," he said.

Manky, at FortiGuard Labs, said Friday that Henderson's theory is unconfirmed, "as analysis is still under investigation with KISA." But he noted that the defacement didn't relate to any of the information included in the attacks, such as the use of the words "hastasi" or "principes" -- both of which refer to Roman legions -- to overwrite the MBR of infected systems.

Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Les Moor
50%
50%
Les Moor,
User Rank: Apprentice
3/24/2013 | 4:21:17 PM
re: South Korea Changes Story On Bank Hacks
Hmmm. N. Korea rattles saber and threatens S. Korea. China makes it clear that it won't be backing N. Korea's childish behavior. S. Korea decides being friends with China is not a bad idea. Surprised?
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3966
Published: 2015-08-30
The IPsec SA establishment process on Innominate mGuard devices with firmware 8.x before 8.1.7 allows remote authenticated users to cause a denial of service (VPN service restart) by leveraging a peer relationship to send a crafted configuration with compression.

CVE-2015-4555
Published: 2015-08-30
Buffer overflow in the HTTP administrative interface in TIBCO Rendezvous before 8.4.4, Rendezvous Network Server before 1.1.1, Substation ES before 2.9.0, and Messaging Appliance before 8.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via unspecified vect...

CVE-2015-5698
Published: 2015-08-30
Cross-site request forgery (CSRF) vulnerability in the web server on Siemens SIMATIC S7-1200 CPU devices with firmware before 4.1.3 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2015-4497
Published: 2015-08-29
Use-after-free vulnerability in the CanvasRenderingContext2D implementation in Mozilla Firefox before 40.0.3 and Firefox ESR 38.x before 38.2.1 allows remote attackers to execute arbitrary code by leveraging improper interaction between resize events and changes to Cascading Style Sheets (CSS) token...

CVE-2015-4498
Published: 2015-08-29
The add-on installation feature in Mozilla Firefox before 40.0.3 and Firefox ESR 38.x before 38.2.1 allows remote attackers to bypass an intended user-confirmation requirement by constructing a crafted data: URL and triggering navigation to an arbitrary http: or https: URL at a certain early point i...

Dark Reading Radio
Archived Dark Reading Radio
Another Black Hat is in the books and Dark Reading was there. Join the editors as they share their top stories, biggest lessons, and best conversations from the premier security conference.