Pierluigi Paganini July 09, 2013

Mc Afee Lab experts revealed that hackers behind large scale cyberattacks against South Korea also designed malware to steal military secrets.

The hackers behind the recent attacks against South Korean infrastructure are professionals that designed also malicious code to steal military secrets to the South Korea and US military. Security experts at McAfee Labs revealed that the malware used during the attacks was expressly designed to find and steal secret information on US forces involved in joint exercises in South Korea.

The wave of attacks malware based was dubbed by researchers Operation Troy due the numerous references into the code of the city, the malicious code used appears the same implanted into a social media website used by military personnel in South Korea in 2009.

Ryan Sherstobitoff, a senior threat researcher at McAfee, provided to the The Associated Press a report that will be publicly issued later this week on the analysis of malware instances detected. Despite it is not clear the exact amount of information stolen, neither the exact networks penetrated by attackers, South Korean Government blamed North Korean state sponsored-hackers.

Researchers highlighted that there are various clues in the malicious code which lead to the North Korea, for example the password used to unlock encrypted files contains the number 38 probably linked to “38th parallel” that separates the North from South Korea.

Sherstobitoff started the investigation after the malware based attacks occurred on March 20^th, known as the Dark Seoul Incident, in which tens of thousands of hard drives belonging to television networks and banks in South Korea were wiped.

“This goes deeper than anyone had understood to date, and it’s not just attacks: It’s military espionage,” Sherstobitoff said

McAfee researchers said that the malware used to wipe the disks during the recent attacks is different from the malicious code used for the cyber espionage campaign, but the presence of many similarities between the two codes led to believe they must be created by the same developers.

On the Internet circulated the name of two distinct groups of hackers that claimed responsibility for the attacks, The “Whois Hacking Team” that posted pictures of skulls and a warning and the “NewRomanic Cyber Army Team” that announced it had leaked private information from Korean media and banking.

Another element of interest is that the hackers behind the attacks have spread their spyware on domestic networks for months with specific intent to gather information on national cyber infrastructure and on the habit of Korean Internet users, data that could advantage successive attacks.

What is interesting is that the South Korean cybersecurity researcher, Simon Choi, found instances of the malware dated early 2007, they were equipped with keyword-searching capabilities added in 2008 and for sure the same hackers were involved in cyber attacks launched in the past years against South Korea.

Choi, who works for a South Korean cybersecurity company, has conducted an investigation with  researchers at IssueMakersLab, issued in the last months a report that revealed many search terms used by malware and that were not included in the McAfee report, including the English-language equivalents of Korean keywords.

Sherstobitoff hypothesized that same code it is still operating to gain confidential information from South Korean, the researcher sustains that malware fingerprints were found on the anniversary of the start of the 1950-53 Korean War occurred on June 25^th, when government websites including South Korea’s president and prime minister portal were attacked.

On June 26^th the US Government announced that personal information about thousands of U.S. troops in South Korea had been exposed online.

The attackers infected victims with “spear phishing” attacks, the hackers also compromised about a dozen Korean-language religious, social and shopping websites to steal secret info from victims being undetected.

The attackers have targeted government networks managing military information for at least four years, they used malicious code that automatically searched for military terms in Korean, including “U.S. Army,” ‘’secret,” ‘’Joint Chiefs of Staff” and “Operation Key Resolve,”.

 “These included names of individuals, base locations, weapons systems and assets,” revealed Sherstobitoff.

South Korea’s Defense Ministry announced that it’s technically impossible to disclose classified reports from military networks because the networks of the Korean Intelligence  aren’t connected to the Internet and that access to the Internet is made with different computers separated by the internal military infrastructure.

A hack of sensitive South Korean military computers from the Internet “cannot be done,” “It’s physically separated.” said the South Korean government representative.

Kwon Seok-chul, chief executive officer of Seoul-based cyber security firm Cuvepia Inc., said that hackers may have the skills to penetrate into the internal networks of Korean and U.S. Military even if they are separated from the internet.

“It takes time, but if you find the connection, you can still get into the internal server,” Kwon said.

Despite a limited portion of the North Korean population has access to the Internet it must be considered that the country has the highest percentage of military personnel in relation to population than any other nation in the world. It has approximately 40 enlisted soldiers per 1000 people with a considerable impact on the economy of the country. A defector has declared that North Korea has increased its cyber warfare unit to staff 3,000 people and it is massive training its young prodigies to become professional hackers.

According the revelation of Army General James Thurman, the commander of US Forces Korea, the government of Pyongyang is massive investing in cyber warfare capabilities, recruiting and forming a high skilled team of hackers. The groups will could be engaged in offensive cyber operation against hostile government and in cyber espionage activities.

In spite of McAfee researchers haven’t indicated the origin of the attacks many security experts have no doubts about the nature of the offensive, North Korean state sponsored hackers appear as the main culprits.

Pierluigi Paganini

(Security Affairs – North Korea, South Korea)