Researchers confirm data-destroying malware that hit South Korean media and banks doesn't completely erase data

Dark Reading Staff, Dark Reading

March 23, 2013

2 Min Read

Researchers from a unit of defense contractor General Dynamics today confirmed their suspicions that it is possible to recover data wiped from South Korean media and bank systems in a destructive targeted attack earlier this week.

In an interview with Dark Reading yesterday, Jim Jaeger, vice president of cybersecurity services for General Dynamics Fidelis Cybersecurity Solutions, said the wiper malware used in the attacks, while similar in some ways to the Shamoon data-destroying malware, was "a little less effective" and easier to recover from.

"Our focus has been on the recovery process -- recovering data and enabling a reboot of the computer without generating a whole clean reload. It looks like there is a way to do that," he said in the interview.

Today, Jaeger's team announced in a blog post that they indeed were able to prove that files and data wiped by the malware, which overwrote the Master Boot Record (MBR) and Volume Boot Record (VBR), are recoverable. So the data that was wiped isn't gone forever.

The Fidelis Cybersecurity Solutions team used the same recovery techniques they used to restore data lost in the Shamoon attacks against Saudi Aramco last summer. They were able to detect the new so-called Darkseoul or Jokra malware as it hit the network in tests, and ultimately restore any data that was overwritten by the malware.

"The malware samples that have been analyzed by our team are different in code and function from the Shamoon malware. However, by using the same recovery methods found in advisory #1007 the files and data are indeed recoverable," the researchers wrote today, along with instructions for how to restore the lost data (PDF).

Jaegar described the Darkseoul/Jokra malware as "more streamlined and simplistic" than Shamoon, but similar in the fact that it goes after the MBR and wipes data.

"What's impressive about this attack is its ability to hit multiple commercial entities in what appears to be a fairly orchestrated manner," he says.

This type of old-school destructive attack is back, and this won't be the last time we see it. "[The attack on] Aramco [with Shamoon] was something we hadn't seen in some time. I think there's a likelihood of copycat attacks," Jaegar says. "I suspect we're going to be seeing more of these in the future."

Data-annihilation attacks are painful because they are so public, he says, and the damage can be so high reputation-wise for the victim company, such as a bank or media outlet.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights