Attacks/Breaches
3/20/2013
03:52 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'Loud' Data-Annihilation Cyberattacks Hit South Korean Banks, Media Outlets

Malware that wiped hard drives of infected machines and attached drives may have been built using GonDad exploit kit

A wave of cyberattacks that targeted South Korean banks and media networks today employed destructive malware that wiped the hard drives and attached drives of infected machines, crippling the organizations for hours as data was lost and the infected machines were unable to reboot.

Details of the attacks are still coming to light, but security experts have gotten a close-up look at the malware that was used in the attacks. One theory being studied by Symantec and other security firms is whether the malware initially was spread via drive-by attacks, specifically with a waterhole strategy that infected websites that users at those organizations would frequent, but Symantec says it has not confirmed that vector. Security firm Avast, meanwhile, suggests that the attack originated from a legitimate Korean website, Korea Software Property Right Council (SPC), that housed the malware.

Reports came out of South Korea today that computer screens went blank at 2 p.m. local time/5:00 a.m. GMT. The machines were defaced with a message from "The WhoIs Team" warning that the attackers had all of the victims' user accounts and data -- and that they had deleted the data. "We'll be back soon," the messages also said. Television media outlets YTN, MBC, and KBS were targeted, as were two major banks, Shinhan Bank and NongHyup Bank, according to Reuters. Other reports said Korean ISP LG U+, which provides services to some of the victims, also was breached in the attacks.

South Korean military and government networks weren't infected, but the Korean army raised its alert level amid worries that North Korea was behind the attacks given the escalating tensions between the nations. North Korea several days ago claimed that South Korea and the U.S. were behind attacks that knocked several of its websites offline for close to two days -- all of that in the wake of recent nuclear threats from North Korea, as well as drones and rocket attack exercises conducted by North Korea.

While the data-wiping attack against South Korean banks and media outlets has the earmarks of hacktivists, attribution is difficult. So far, there's no confirmation of a larger cyberwar campaign by North Korea or another nation, but not surprisingly, that was one of the initial concerns when the attacks hit. The signs could be mere false flags as well, aimed to throw investigators off the trail of the real attackers.

Another theory is that China is behind the attacks on South Korea. That was the conclusion of security firm Avast after studying the malware and finding several Chinese words and other clues in the malware. "The attack probably originates in China. Aside from location of the final (laoding521.eicp.net), which is in China, analysis of both 2nd and 3rd stage executable makes us think so. First of all, file names like tongji (statistics), tong (connect), pao (run) are definitely Chinese," according to its blog post today, pointing out some Chinese words in the code.

Regardless of who is behind them, the attacks resemble the one that hit Saudi Aramco last year, wiping data from some 10,000 machines and crippling the company's internal network, which is believed to have used the data-destroying Shamoon malware. Even so, the malware used in the South Korean attacks is different from Shamoon in some ways, says Liam O Murchu, manager of operations at Symantec Security Response. "It operates differently ... but it's still destructive," Murchu says.

It was specifically written for Korean targets, for instance, and checks for Korean antivirus products to disable, Murchu says. In addition, it overwrites the Master Boot Record (MBR), wipes the contents of the hard disk, and has the ability to do the same on any attached or mapped drives. It also renders the machine unusable without the MBR and drive. Symantec has named the malware Trojan Horse/Trojan.Jokra and WS.Reputation.1.

"It is likely that the group that is called 'Whois Team' is a new one [and] just decided to deface the LG-owned website after they watched the news and they found about the attacks affecting the banks and media systems," says Jaime Blasco, labs manager at Alien Vault Labs. "Another possibility is that a sophisticated group of attackers gained access to the banks and media systems, performed whatever actions they wanted to do, and then wiped all the systems to clean their tracks."

Or the attackers merely wanted to create panic and financial loss to the victims, he says. "The LG-owned website hack can also be a diversionary tactic or false flag operation to give false data about who is behind the attacks," Blasco says.

The malware may have been created using the GonDad exploit kit available on the black market, based on the filenames used in the attack, he says, although that's just a theory for now.

"I would say that the attackers could have build/buy access to a botnet that had infected systems from the affected entities -- media and banking, etc. -- and then they could have gained access to the network, get admin credentials, and executed the wiper payload," he says.

[Old-school but painful data-destroying malware attacks in the Middle East a red flag to revisit incident response, recovery. See The Data-Annihilation Attack Is Back.]

"Obviously, the attacks were designed to be 'loud' -- the victims are broadcasting companies and banks. This makes us think we are not dealing with a serious, determined adversary but script kiddies or hacktivists looking for quick fame," Kaspersky lab analysts wrote in a blog post today.

Kaspersky analysts say it's hard to tell whether this was an isolated attack or part of a larger "cyberwar" initiative. "If a nation state is NOT behind these attacks, then it's just cyber-terrorism; cyberwar requires a nation state to be behind the attacks. In general, if the attacks target critical infrastructure, they can be considered cyber-terrorism. According to the definition of critical infrastructure, banks can be considered as such, therefore, this counts as a cyberterrorism attack," they said. "Previous incidents like Stuxnet and Wiper were part of an ongoing cyberwar campaign that went for years, although in a more stealthy fashion."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2963
Published: 2014-07-10
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

CVE-2014-3310
Published: 2014-07-10
The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463.

CVE-2014-3311
Published: 2014-07-10
Heap-based buffer overflow in the file-sharing feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467.

CVE-2014-3315
Published: 2014-07-10
Cross-site scripting (XSS) vulnerability in viewfilecontents.do in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCup76308.

CVE-2014-3316
Published: 2014-07-10
The Multiple Analyzer in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote authenticated users to bypass intended upload restrictions via a crafted parameter, aka Bug ID CSCup76297.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.