The hackers responsible for a malware attack in March that simultaneously wiped data from tens of thousands of South Korean computers belong to the same espionage group that has targeted South Korean and US military secrets for four years, researchers said.
The conclusion, reported in a recently published research paper from security firm McAfee, is surprising. Most groups behind network-based espionage campaigns take pains to remain hidden to ensure their advanced persistent threat (APT) is able to siphon as much sensitive data as possible. The "Dark Seoul" attack, by contrast, has attracted huge amounts of attention because of its coordinated detonation. It struck government and media networks in South Korea precisely at 2pm local time on March 20, affecting both Internet and mobile banking applications, while taking automatic teller machines offline. Until now, researchers speculated the unknown group behind the attack was primarily motivated by a goal of causing disruptions.
In fact, Dark Seoul was just one component of "Operation Troy," a long-term spying campaign targeting military organizations that dates back to at least 2009. The covert operation gets its name from references to the ancient city found in malware developed by the attackers. The malware made use of a sophisticated control network to carry information over Web and Internet relay chat connections that were secured with strong encryption. Remote access tools installed on compromised target machines methodically searched for military terms and downloaded only documents that were deemed important. The malware initially took hold after the attackers planted a previously undocumented "zero-day" exploit on a military social networking site. The technique is known as a watering-hole-style attack, because it attempts to plant drive-by exploits into sites frequented by the people the attackers hope to infect (similar to a hunter targeting its prey as it drinks water).
"McAfee Labs can connect the Dark Seoul and other government attacks to a secret, long-term campaign that reveals the true intention of the Dark Seoul adversaries: attempting to spy on and disrupt South Korea’s military and government activities," McAfee researchers Ryan Sherstobitoff, Itai Liba, and James Walte wrote. "The attackers have attempted since 2009 to install the capability to destroy their targets using an MBR wiper component, as seen in the Dark Seoul incident. From our analysis we have established that Operation Troy had a focus from the beginning to gather intelligence on South Korean military targets. We have also linked other high-profile public campaigns conducted over the years against South Korea to Operation Troy, suggesting that a single group is responsible."
Among the tell-tale signs that the two attacks are related is the code used by Dark Seoul to destroy the master boot record (MBR) of infected machines. That capability also resides in the remote access trojan used in Operation Troy campaigns to wipe data from compromised machines that show they're in the process of being disinfected. By permanently disabling the machines, the attackers stand a much higher chance of hiding their campaign from adversaries. The wiping malware used in the two campaigns weren't identical, but the McAfee report said there were enough similarities that the different samples had to be spawned by the same group.
Also significant, the wiper malware used in Dark Seoul was compiled just hours before it was executed on tens of thousands of machines belonging to South Korean government agencies and media outlets. The timing suggests the targeted computers had been infected days, weeks, or even months in advance, since it's unlikely so many computers could be infected and destroyed in such a short period.
The terms Operation Troy malware searched for included "tactics," "brigade," "logistics," and "Operation Key Resolve," according to the BBC. The last phrase refers to a military exercise involving US and South Korean forces that is carried out every year. The report doesn't identify the group responsible for Operation Troy or the specific South Korean government networks that were infected.
It remains unclear why the wiping Dark Seoul malware was unleashed. The compilation data suggests it was done intentionally rather than by accident. The activation of such a destructive payload touched off the McAfee investigation that ultimately led to the new report about Operation Troy. If the group behind the campaign was hoping to cover its tracks, the clamor it set off by destroying tens of thousands of machines in unison may only have brought attention to a spying operation that previously was largely overlooked.
reader comments
26