Unraveling the South Korean cyberattacks
Wednesday’s news that the networks of several South Korean broadcasting organizations and banks have been partially or entirely crippled by coordinated attacks has raised a lot of questions, the main of which is “who is behind the attacks?”
South Korean Defence Ministry spokesman Kim Min-seok immediately stated that they would not be ruling out the possibility of North Korea being involved, which is understandable because relations between the two countries have been extremely strained lately.
Investigation into the matter revealed that the attacks came from a single Chinese IP address. While this doesn’t mean that the attackers are Chinese, it made the likelihood of them being North Korean higher, as intelligence experts say that their modus operandi often includes using Chinese IP addresses to hide the real provenance of their cyber-attacks.
In the meantime, security firms such as Symantec, Sophos and FireEye have begun analyzing the malware delivered in the attacks. They have collectively concluded that the wiper component was meant first to kill AV and security processes on the targeted computers, then overwriting the Master Boot Record on their disk and reboot them.
The Trojan which dropped the malware into the systems is apparently able to wipe remote Linux and Unix machines in the computers’s network.
But the malware is not responsible for knocking the companies’ networks offline, and neither is it responsible for the defacement of a number of company websites hosted by Korean network provider LG U+ which hackers that go by the name of “Whois Team” have claimed. For the time being it is impossible to tell whether all these attacks are connected.
Alien Vault’s Jaime Blasco has a few interesting theories on how the malware could have been delivered to the affected computers and how the attackers could have gained access to the affected networks in order to launch the wiping routine.
They involve either the use of an exploit kit and malware kit, or the renting of a botnet that has zombie computers within the targeted companies..