Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


South Korea Changes Story On Bank Hacks

South Korean officials now say there's no evidence that the March 20 attack against banks and television stations was launched from a Chinese IP address.

Reversing previous assertions, South Korean officials Friday said there's no evidence that the March 20 cyberattack against some of the country's banks and television stations was launched from a Chinese IP address.

"We were careless in our efforts to double-check and triple-check," Korean Communications Commission (KCC) official Lee Seung-won told reporters Friday. "We will now make announcements only if our evidence is certain."

South Korean television broadcasters KBS, MBC and YTN were affected by the data-deleting malware attacks, which crashed their networks and wiped numerous systems, although they were able to remain broadcasting. The country's Jeju, NongHyup and Shinhan banks were also attacked, and they reported that banking operations were interrupted. While Woori Bank was also targeted in the Wednesday attacks, it wasn't infected, South Korean officials told Reuters.

The KCC had previously asserted that a Chinese IP address had been used to access an update management server at the NongHyup bank and distribute "wiper" malware via the server. The China attribution carried a political subtext, as the government of North Korea has previously launched cyberattacks against South Korean systems via Chinese IP addresses.

[ For more on the South Korean bank attacks, see South Korea Bank Hacks: 7 Key Facts. ]

The Korean mea culpa reflects the fact that when trying to trace online attacks, attribution remains difficult.

Still, how did the KCC fumble its investigation? According to a statement released Friday by the KCC, the agency mistook a private IP address used by the South Korean bank NongHyup to be an IP address that had been assigned to China. But the KCC Friday said that it had traced the origin of some attacks -- which deleted data from an estimated 32,000 Windows, Unix and Linux systems across the six affected organizations -- to a NongHyup bank system, and police have seized the system's hard drive. While that system might have been the source of multiple attacks, officials noted that it could itself have been remotely infected.

The affected organizations are still working to recover from the attacks. KCC officials said that as of Friday, the Jeju and Shinhan banks had restored their networks, but reported that related efforts were still underway at NongHyup. Meanwhile, KBS, MBC and YTN by Friday had restored only 10% of their wiped systems, and said a full recovery could take weeks. According to government officials, no new related attacks have been seen.

The attacks against South Korean banks and broadcasters -- which may have been designed for no other purpose than causing chaos -- appear to have been launched using multiple attack vectors, and a KCC spokesman said that authorities have launched a "multilateral" investigation to identify "all possible infiltration routes," reported South Korea's Yonhap News Agency.

At least one of those attack vectors involved a spear-phishing email campaign, launched Tuesday, that included a malware dropper, which, if it successfully infected a targeted PC, downloaded additional malware. "On March 19, we saw the first indications of this attack, where South Korean organizations received a spam message that contained a malicious attachment," read a blog post from researchers at Trend Micro. "The message posed as coming from a bank. The attachment is actually a downloader, which downloaded nine files from several different URLs. To hide the malicious routines, a fake website is shown."

According to Trend Micro, the downloaded malware components included a Windows master boot record (MBR) wiper, as well as bash scripts able to delete the MBR of network-attached Unix and Linux systems. The Windows MBR wiper also included a logic bomb. "It is set to sleep until March 20 at 2:00 p.m.," said Trend Micro. "Upon the said date and time, the malware is activated."

FortiGuard Labs, which is part of security firm Fortinet, confirmed seeing at least two versions of the logic bomb used in attacks. "It was seen in a piece of malware sent to us by KISA [Korea Information Security Agency]," said Derek Manky, a senior security strategist at FortiGuard Labs, via email. "We detect this as W32/Kast.A!tr (Kast). We observed two variants, one with a logic bomb for March 20 @ 14:00h and one for March 20 @ 15:00h."

Attackers' use of a logic bomb explains why the South Korean banks and television stations infected by the malware all reported that their systems appeared to be disrupted beginning at about 2 p.m. local time on March 20. According to Manky, the use of a logic bomb made these attacks "a clear seek-and-destroy mission."

While South Korean officials have accused the North Korean government of launching the cyberattacks against its broadcasters and banks, a new group calling itself the Whois Team had stepped forward to claim credit for the attacks, via a defacement of the South Korean LG Electronics website, which Reuters earlier this week reported had been hacked at the same time as the South Korean banks and broadcasters.

But LG Thursday dismissed that report, saying that its systems hadn't been hacked. As a result, Richard Henderson, a threat researcher for FortiGuard Labs, told Wired Thursday that he doesn't believe that the South Korean attacks were the work of the Whois Team, whoever they are. "I firmly believe the Whois defacement was either a coincidence attack or an attempt by that group to jump on when the time bomb detonated in order to tie their names to the attacks," he said.

Manky, at FortiGuard Labs, said Friday that Henderson's theory is unconfirmed, "as analysis is still under investigation with KISA." But he noted that the defacement didn't relate to any of the information included in the attacks, such as the use of the words "hastasi" or "principes" -- both of which refer to Roman legions -- to overwrite the MBR of infected systems.

Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Les Moor
Les Moor,
User Rank: Apprentice
3/24/2013 | 4:21:17 PM
re: South Korea Changes Story On Bank Hacks
Hmmm. N. Korea rattles saber and threatens S. Korea. China makes it clear that it won't be backing N. Korea's childish behavior. S. Korea decides being friends with China is not a bad idea. Surprised?
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
New FISMA Report Shows Progress, Gaps in Federal Cybersecurity
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-08-22
When the Elastic APM agent for Python versions before 5.1.0 is run as a CGI script, there is a variable name clash flaw if a remote attacker can control the proxy header. This could result in an attacker redirecting collected APM data to a proxy of their choosing.
PUBLISHED: 2019-08-22
NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in an NLTK package (ZIP archive) that is mishandled during extraction.
PUBLISHED: 2019-08-22
Improper Verification of a Cryptographic Signature in OpenPGP.js <=4.1.2 allows an attacker to forge signed messages by replacing its signatures with a "standalone" or "timestamp" signature.
PUBLISHED: 2019-08-22
Improper Verification of a Cryptographic Signature in OpenPGP.js <=4.1.2 allows an attacker to pass off unsigned data as signed.
PUBLISHED: 2019-08-22
A cryptographic issue in OpenPGP.js <=4.2.0 allows an attacker who is able provide forged messages and gain feedback about whether decryption of these messages succeeded to conduct an invalid curve attack in order to gain the victim's ECDH private key.