Might the South Korean malware attacks have been designed to cause maximum chaos and disruption, rather than targeting any given organization? One theory -- advanced by Jaime Blasco, labs manager at AlienVault Labs -- is that whoever targeted the South Korean banks and broadcasters may have just used machines that were already infected by the GonDad exploit kit, which has been used to infect a number of PCs in the country.
"From my point of view one of the easiest ways to gain access to several targets without having too much resources/skills would be [to] buy an exploit kit and a malware kit, hack into websites and redirect victims to your malicious infrastructure," Blasco said in a blog post. "Even better, rent a botnet(s) that have access to hundreds of computers and try to find victims inside interesting targets."
[ How hard is it to find patterns in attacks? Read Security Tools Show Many Dots, Few Patterns. ]
Indeed, he said that "if the goal of the attackers was to create panic it means they hadn't to have a specific list of victims, [did] they?" Instead, they could have just identified targets of opportunity.
"If the people behind yesterday's South Korean attacks had access to some of the infrastructure ... they could have gained access to hundreds if not thousands of South Korean systems and then they could have chosen which of the compromised systems were in interesting companies," he said. "Then they could have manually upload another payload to each of the systems and they could have performed lateral movement to own the network. Once they are in the network they can easily execute the wiping payload."
"You should take into account that this is only a theory and it could even be a very small part of all the infrastructure they could have used," he said.
5. Attacks Launched Via Chinese IP Address
A group calling itself the "Whois Team" has claimed credit for the attacks, and defaced some disrupted websites with a message announcing that "This is the Beginning of our Movement" and that "Unfortunately, We have deleted Your Data. We'll be back Soon. See You Again." But who is the Whois Team? That's not clear, and it may just be a front for a nation state or gang.
According to the Korea Communications Commission (KCC), at least some of the malware that was used in the attacks was distributed via IP addresses located in China. That's no smoking gun for either Chinese government involvement or Chinese nationals being behind the attacks. Rather, attackers may have simply rented an inexpensive China-based botnet to target a pre-supplied list of South Korean IP or email addresses with malware attacks.
"Both the exploit kit and the malware mentioned seems to come from China, but the attackers could have bought/[rented] it in the black market," said Blasco at AlienVault Labs.
6. Outage: South Korean Internet Service Provider Targeted
The attackers may have also hacked into the country's South Korean service provider LG UPlus, which told police Wednesday that it had suffered a network outage as a result of a hack attack, reported Reuters. South Korean police said they were investigating that claim. Interestingly, all of the malware-attacked organizations are customers of LG UPlus, but that might just be a coincidence.
7. South Korean Official Suspect North Korea
After any online attack against South Korea, the primary suspect is always North Korea, given tensions between the two neighbors, as well as reports that North Korea has developed a cyberwarfare unit. In the wake of yesterday's attacks, officials in Seoul were urging caution before assigning blame. But by Thursday, South Korean officials started pointing fingers.
The government "is closely analyzing the incident with all possibilities open, while bearing a strong suspicion that North Korea conducted the attack," a high-ranking official of the presidential office Cheong Wa Dae told Yonhap News Agency.
According to Yonhap, Korean intelligence officials said they've traced six online attacks to North Korea in recent years, including a massive 2009 distributed denial of service (DDoS) attack that disabled 26 South Korean government and foreign websites, another DDoS attack in March 2011 against the websites of the South Korean president, national assembly and media outlets, and a June 2012 attack against a conservative newspaper website. At least some of those attacks were launched via Chinese IP addresses.