Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:52 PM
Connect Directly

'Loud' Data-Annihilation Cyberattacks Hit South Korean Banks, Media Outlets

Malware that wiped hard drives of infected machines and attached drives may have been built using GonDad exploit kit

A wave of cyberattacks that targeted South Korean banks and media networks today employed destructive malware that wiped the hard drives and attached drives of infected machines, crippling the organizations for hours as data was lost and the infected machines were unable to reboot.

Details of the attacks are still coming to light, but security experts have gotten a close-up look at the malware that was used in the attacks. One theory being studied by Symantec and other security firms is whether the malware initially was spread via drive-by attacks, specifically with a waterhole strategy that infected websites that users at those organizations would frequent, but Symantec says it has not confirmed that vector. Security firm Avast, meanwhile, suggests that the attack originated from a legitimate Korean website, Korea Software Property Right Council (SPC), that housed the malware.

Reports came out of South Korea today that computer screens went blank at 2 p.m. local time/5:00 a.m. GMT. The machines were defaced with a message from "The WhoIs Team" warning that the attackers had all of the victims' user accounts and data -- and that they had deleted the data. "We'll be back soon," the messages also said. Television media outlets YTN, MBC, and KBS were targeted, as were two major banks, Shinhan Bank and NongHyup Bank, according to Reuters. Other reports said Korean ISP LG U+, which provides services to some of the victims, also was breached in the attacks.

South Korean military and government networks weren't infected, but the Korean army raised its alert level amid worries that North Korea was behind the attacks given the escalating tensions between the nations. North Korea several days ago claimed that South Korea and the U.S. were behind attacks that knocked several of its websites offline for close to two days -- all of that in the wake of recent nuclear threats from North Korea, as well as drones and rocket attack exercises conducted by North Korea.

While the data-wiping attack against South Korean banks and media outlets has the earmarks of hacktivists, attribution is difficult. So far, there's no confirmation of a larger cyberwar campaign by North Korea or another nation, but not surprisingly, that was one of the initial concerns when the attacks hit. The signs could be mere false flags as well, aimed to throw investigators off the trail of the real attackers.

Another theory is that China is behind the attacks on South Korea. That was the conclusion of security firm Avast after studying the malware and finding several Chinese words and other clues in the malware. "The attack probably originates in China. Aside from location of the final (laoding521.eicp.net), which is in China, analysis of both 2nd and 3rd stage executable makes us think so. First of all, file names like tongji (statistics), tong (connect), pao (run) are definitely Chinese," according to its blog post today, pointing out some Chinese words in the code.

Regardless of who is behind them, the attacks resemble the one that hit Saudi Aramco last year, wiping data from some 10,000 machines and crippling the company's internal network, which is believed to have used the data-destroying Shamoon malware. Even so, the malware used in the South Korean attacks is different from Shamoon in some ways, says Liam O Murchu, manager of operations at Symantec Security Response. "It operates differently ... but it's still destructive," Murchu says.

It was specifically written for Korean targets, for instance, and checks for Korean antivirus products to disable, Murchu says. In addition, it overwrites the Master Boot Record (MBR), wipes the contents of the hard disk, and has the ability to do the same on any attached or mapped drives. It also renders the machine unusable without the MBR and drive. Symantec has named the malware Trojan Horse/Trojan.Jokra and WS.Reputation.1.

"It is likely that the group that is called 'Whois Team' is a new one [and] just decided to deface the LG-owned website after they watched the news and they found about the attacks affecting the banks and media systems," says Jaime Blasco, labs manager at Alien Vault Labs. "Another possibility is that a sophisticated group of attackers gained access to the banks and media systems, performed whatever actions they wanted to do, and then wiped all the systems to clean their tracks."

Or the attackers merely wanted to create panic and financial loss to the victims, he says. "The LG-owned website hack can also be a diversionary tactic or false flag operation to give false data about who is behind the attacks," Blasco says.

The malware may have been created using the GonDad exploit kit available on the black market, based on the filenames used in the attack, he says, although that's just a theory for now.

"I would say that the attackers could have build/buy access to a botnet that had infected systems from the affected entities -- media and banking, etc. -- and then they could have gained access to the network, get admin credentials, and executed the wiper payload," he says.

[Old-school but painful data-destroying malware attacks in the Middle East a red flag to revisit incident response, recovery. See The Data-Annihilation Attack Is Back.]

"Obviously, the attacks were designed to be 'loud' -- the victims are broadcasting companies and banks. This makes us think we are not dealing with a serious, determined adversary but script kiddies or hacktivists looking for quick fame," Kaspersky lab analysts wrote in a blog post today.

Kaspersky analysts say it's hard to tell whether this was an isolated attack or part of a larger "cyberwar" initiative. "If a nation state is NOT behind these attacks, then it's just cyber-terrorism; cyberwar requires a nation state to be behind the attacks. In general, if the attacks target critical infrastructure, they can be considered cyber-terrorism. According to the definition of critical infrastructure, banks can be considered as such, therefore, this counts as a cyberterrorism attack," they said. "Previous incidents like Stuxnet and Wiper were part of an ongoing cyberwar campaign that went for years, although in a more stealthy fashion."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-14
An HTTP Request Smuggling vulnerability in Pulse Secure Virtual Traffic Manager before 21.1 could allow an attacker to smuggle an HTTP request through an HTTP/2 Header. This vulnerability is resolved in 21.1, 20.3R1, 20.2R1, 20.1R2, 19.2R4, and 18.2R3.
PUBLISHED: 2021-05-14
Hexagon G!nius Auskunftsportal before allows SQL injection via the GiPWorkflow/Service/DownloadPublicFile id parameter.
PUBLISHED: 2021-05-13
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.
PUBLISHED: 2021-05-13
The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the ca...
PUBLISHED: 2021-05-13
Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream projects such as Lightning network nodes. An unconfirmed child transaction with ...