11:27 AM

South Korean Banks Lose Data In Malware Attack

Computer networks at banks and television stations in South Korea froze after targeted malware deleted data from numerous PCs. Was North Korea involved?

Police in South Korea are investigating a coordinated series of malware attacks against several of the country's banks and television stations. The attacks disrupted websites, interrupted banking transactions and wiped PCs.

Targeted businesses included at least three South Korean broadcasters, three banks -- Shinhan, Nonghyup and Jeju -- and two insurance firms. Computer networks at the affected organizations appeared to halt around 2:20 p.m. local time for unknown reasons, reported South Korea's Yonhap News Agency. South Korea's Woori Bank reported that it had detected a hacking attack at about the same time, which it reportedly mitigated.

Shinhan said the network freeze affected its ATMs, online banking and banking-by-smartphone operations. Affected television stations, however, were able to continue broadcasting without interruption.

[ What does "cyber war" really mean? We're still figuring it out. Read Uncertain State Of Cyber War. ]

"This is the biggest and most serious cyberattack in two years," Shin Hong Sun, an official at the Korea Communications Commission, told Bloomberg. "There haven't been simultaneous attacks on more than one target since 2011." South Korean stocks tumbled after the attacks, with the Kospi Index (KOSPI) of all common stocks on the South Korean market losing 1% of its value, according to Bloomberg.

The attacked sites were defaced with messages by a group calling itself the "Whois Team." One of the defaced sites featured the following English-language message: "Hi!!! We have an Interest in Hacking. This is the Beginning of our Movement. User Acounts (sic) and All Data are in Our Hands. Unfortunately, We have deleted Your Data. We'll be back Soon. See You Again."

South Korean officials said it was too early to tell if the attacks had been launched by North Korea. "We do not rule out the possibility of North Korea being involved, but it's premature to say so," South Korea defense ministry spokesman Kim Min-seok told the BBC.

North Korea has been blamed for previous online attacks against South Korean networks. "There have been numerous serious attacks on South Korean networks and systems over the last few years, from recent newspaper site defacements and the most recent network attacks to the so-called 'Ten Days of Rain' DDoS attacks on multiple government sites and the USFK [United States Forces Korea] in 2011," said Christopher Boyd, senior threat researcher for ThreatTrack Security, which was spun off this month from GFI Software, in an emailed statement.

But while North Korea has been blamed for many of the attacks, the evidence in some cases remains circumstantial, and that's the case with this most recent series of attacks as well. "While it's tempting to attribute these attacks to the North … many attacks are not so easy to pin down," Boyd said. "We should be wary of attributing any blame until the full facts emerge."

According to Kaspersky Lab, the latest malware attacks don't bear the hallmarks of a nation-state campaign. "Obviously, the attacks were designed to be 'loud' -- the victims are broadcasting companies and banks," read a Kaspersky Lab Securelist blog post. "This makes us think we are not dealing with a serious, determined adversary but script kiddies or hacktivists looking for quick fame."

Employees at affected organizations have posted post-infection PC screenshots showing that their operating systems appear to have been deleted. "The screenshots from victim's computers indicate [that a] 'Wiper' type of malware was also used," said Kaspersky Lab. This type of malware has previously been seen in the Iranian Wiper attacks that deleted sensitive information from systems in the Middle East. Similarly, the Shamoon malware -- which was apparently launched by a band of activists protesting the commercialization of oil reserves in some Arab countries -- deleted data and disabled an estimated 30,000 PCs at Saudi Aramco, which is Saudi Arabia's largest oil producer.

Tensions between South Korea and North Korea have been running high since North Korea's latest nuclear test on February 12, which was followed by United Nations sanctions and joint U.S.-South Korea military exercises. On Friday, North Korea accused the United States and South Korea of launching cyberattacks against its official government websites, including the KCNA news agency and Rodong Sinmun newspaper. The sites reportedly experienced intermittent disruptions.

Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/20/2013 | 9:35:53 PM
re: South Korean Banks Lose Data In Malware Attack
The targets may even suggest South Korean insiders with ease of access. Do these companies contract out the management of their IT services? The insurance site hacks are probably the key to solving it...where do they fit in for a political attack? I agree with Lacertosus that this may be difficult for North Korea to pull off no matter how much they've upgraded their Apple II's and Commodore 64's.
User Rank: Apprentice
3/20/2013 | 5:30:49 PM
re: South Korean Banks Lose Data In Malware Attack
My guess would be an attack from China.
User Rank: Apprentice
3/20/2013 | 4:44:53 PM
re: South Korean Banks Lose Data In Malware Attack
Not sure if North Korea has either the expertise or the technology to accomplish such a sophisticated, coordinated and effective attack. There has to be more to the story!

One can't help but remain skeptical as all governments have their own ulterior motives and agendas.

Disappearing Act: Dark Reading Caption Contest Winners
Marilyn Cohodas, Community Editor, Dark Reading,  3/12/2018
Microsoft Report Details Different Forms of Cryptominers
Kelly Sheridan, Staff Editor, Dark Reading,  3/13/2018
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.