Attacks/Breaches
7/9/2013
02:15 PM
Connect Directly
RSS
E-Mail
50%
50%

South Korean Bank Hackers Target U.S. Military Secrets

Wiper malware APT gang has been traced to four-year military espionage campaign.

What of the WhoIs Team, which also claimed credit for the March wiper attacks? McAfee said that a wiper file traced to that group shared similarities with wiper malware used in New Romantic Cyber Army Team attacks. Still, it's unclear if the WhoIs Team is simply the same group, or another gang using repurposed malware components.

Overall, McAfee said it has tied New Romantic Cyber Army Team to Operation Troy attacks that occurred from 2009 to 2013. Malware used by the group, for example, appeared to have been employed in the 2011 "Ten Days of Rain" DDoS attacks against 40 sites affiliated with South Korean government, including U.S. Forces Korea and the U.S. Air Force Base in Kunsan, South Korea, as well as in other attacks that occurred in 2010, 2011 and 2013.

On June 25, meanwhile, the same group launched an attack against South Korean government and news websites, in part by distributing a modified installation file for the SimDisk file-sharing and storage service. That malware was distributed via the official SimDisk website, which pushes automatic updates to client software. Attackers hacked into the site and made it push not just a copy of the legitimate software, SimDisk.exe, to users, but also a disguised Trojan downloader, SimDiskup.exe.

That downloader connected to the Tor network to obtain a Trojan application called Castov that included a JPEG file that "contains a timestamp used by Castov to synchronize attacks," said a Symantec Security Response blog post. That timestamp detailed when all Castov-infected clients should send DNS requests to a South Korean government website, thus creating a DDoS attack.

Is the New Romantic Cyber Army Team simply a front for hackers in the employ of Pyongyang? According to South Korean cybersecurity experts, the March 2013 wiper attacks were traced to an IP address in the North Korean capital, which was revealed after the attacker experienced a technical glitch.

But the Troy-wielding gang has often launched their attacks under the hacktivism banner -- and the March wiper attacks, which included stealing data and holding it ransom, would appear to fit that mold. But McAfee's Sherstobitoff said that's likely just a ruse. "The Dark Seoul adversaries show a consistent pattern of psychological warfare that includes throwing off investigators by blaming the attacks on hacktivism," he said. "Both the March and June events share this feature."

Regardless of nomenclature, the attackers appear to have a grudge against both South Korea and the United States. For example, the date of the most recent attacks, June 25, was the 63rd anniversary of the start of the Korean War. "Conducting DDoS attacks and hard disk wiping on key historical dates is not new for the Dark Seoul gang," said Symantec. "They previously conducted DDoS and wiping attacks on the U.S. Independence Day as well."

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.