Attacks/Breaches
3/22/2013
11:26 AM
Connect Directly
RSS
E-Mail
50%
50%

South Korea Changes Story On Bank Hacks

South Korean officials now say there's no evidence that the March 20 attack against banks and television stations was launched from a Chinese IP address.

Reversing previous assertions, South Korean officials Friday said there's no evidence that the March 20 cyberattack against some of the country's banks and television stations was launched from a Chinese IP address.

"We were careless in our efforts to double-check and triple-check," Korean Communications Commission (KCC) official Lee Seung-won told reporters Friday. "We will now make announcements only if our evidence is certain."

South Korean television broadcasters KBS, MBC and YTN were affected by the data-deleting malware attacks, which crashed their networks and wiped numerous systems, although they were able to remain broadcasting. The country's Jeju, NongHyup and Shinhan banks were also attacked, and they reported that banking operations were interrupted. While Woori Bank was also targeted in the Wednesday attacks, it wasn't infected, South Korean officials told Reuters.

The KCC had previously asserted that a Chinese IP address had been used to access an update management server at the NongHyup bank and distribute "wiper" malware via the server. The China attribution carried a political subtext, as the government of North Korea has previously launched cyberattacks against South Korean systems via Chinese IP addresses.

[ For more on the South Korean bank attacks, see South Korea Bank Hacks: 7 Key Facts. ]

The Korean mea culpa reflects the fact that when trying to trace online attacks, attribution remains difficult.

Still, how did the KCC fumble its investigation? According to a statement released Friday by the KCC, the agency mistook a private IP address used by the South Korean bank NongHyup to be an IP address that had been assigned to China. But the KCC Friday said that it had traced the origin of some attacks -- which deleted data from an estimated 32,000 Windows, Unix and Linux systems across the six affected organizations -- to a NongHyup bank system, and police have seized the system's hard drive. While that system might have been the source of multiple attacks, officials noted that it could itself have been remotely infected.

The affected organizations are still working to recover from the attacks. KCC officials said that as of Friday, the Jeju and Shinhan banks had restored their networks, but reported that related efforts were still underway at NongHyup. Meanwhile, KBS, MBC and YTN by Friday had restored only 10% of their wiped systems, and said a full recovery could take weeks. According to government officials, no new related attacks have been seen.

The attacks against South Korean banks and broadcasters -- which may have been designed for no other purpose than causing chaos -- appear to have been launched using multiple attack vectors, and a KCC spokesman said that authorities have launched a "multilateral" investigation to identify "all possible infiltration routes," reported South Korea's Yonhap News Agency.

At least one of those attack vectors involved a spear-phishing email campaign, launched Tuesday, that included a malware dropper, which, if it successfully infected a targeted PC, downloaded additional malware. "On March 19, we saw the first indications of this attack, where South Korean organizations received a spam message that contained a malicious attachment," read a blog post from researchers at Trend Micro. "The message posed as coming from a bank. The attachment is actually a downloader, which downloaded nine files from several different URLs. To hide the malicious routines, a fake website is shown."

According to Trend Micro, the downloaded malware components included a Windows master boot record (MBR) wiper, as well as bash scripts able to delete the MBR of network-attached Unix and Linux systems. The Windows MBR wiper also included a logic bomb. "It is set to sleep until March 20 at 2:00 p.m.," said Trend Micro. "Upon the said date and time, the malware is activated."

FortiGuard Labs, which is part of security firm Fortinet, confirmed seeing at least two versions of the logic bomb used in attacks. "It was seen in a piece of malware sent to us by KISA [Korea Information Security Agency]," said Derek Manky, a senior security strategist at FortiGuard Labs, via email. "We detect this as W32/Kast.A!tr (Kast). We observed two variants, one with a logic bomb for March 20 @ 14:00h and one for March 20 @ 15:00h."

Attackers' use of a logic bomb explains why the South Korean banks and television stations infected by the malware all reported that their systems appeared to be disrupted beginning at about 2 p.m. local time on March 20. According to Manky, the use of a logic bomb made these attacks "a clear seek-and-destroy mission."

While South Korean officials have accused the North Korean government of launching the cyberattacks against its broadcasters and banks, a new group calling itself the Whois Team had stepped forward to claim credit for the attacks, via a defacement of the South Korean LG Electronics website, which Reuters earlier this week reported had been hacked at the same time as the South Korean banks and broadcasters.

But LG Thursday dismissed that report, saying that its systems hadn't been hacked. As a result, Richard Henderson, a threat researcher for FortiGuard Labs, told Wired Thursday that he doesn't believe that the South Korean attacks were the work of the Whois Team, whoever they are. "I firmly believe the Whois defacement was either a coincidence attack or an attempt by that group to jump on when the time bomb detonated in order to tie their names to the attacks," he said.

Manky, at FortiGuard Labs, said Friday that Henderson's theory is unconfirmed, "as analysis is still under investigation with KISA." But he noted that the defacement didn't relate to any of the information included in the attacks, such as the use of the words "hastasi" or "principes" -- both of which refer to Roman legions -- to overwrite the MBR of infected systems.

Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Les Moor
50%
50%
Les Moor,
User Rank: Apprentice
3/24/2013 | 4:21:17 PM
re: South Korea Changes Story On Bank Hacks
Hmmm. N. Korea rattles saber and threatens S. Korea. China makes it clear that it won't be backing N. Korea's childish behavior. S. Korea decides being friends with China is not a bad idea. Surprised?
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8243
Published: 2014-11-01
Linksys SMART WiFi firmware on EA2700 and EA3500 devices; before 2.1.41 build 162351 on E4200v2 and EA4500 devices; before 1.1.41 build 162599 on EA6200 devices; before 1.1.40 build 160989 on EA6300, EA6400, EA6500, and EA6700 devices; and before 1.1.42 build 161129 on EA6900 devices allows remote a...

CVE-2014-8244
Published: 2014-11-01
Linksys SMART WiFi firmware on EA2700 and EA3500 devices; before 2.1.41 build 162351 on E4200v2 and EA4500 devices; before 1.1.41 build 162599 on EA6200 devices; before 1.1.40 build 160989 on EA6300, EA6400, EA6500, and EA6700 devices; and before 1.1.42 build 161129 on EA6900 devices allows remote a...

CVE-2013-0334
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVE-2014-2334
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2335
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.