McAfee uncovers massive cyber espionage campaign against South Korea

Attackers have been mining U.S. ally's military and government systems since 2009, in search of sensitive information

The widespread cyber attacks against South Korean banks and news agencies last March were the culmination of a long-term, covert operation dubbed Operation Troy, aimed at stealing sensitive military and government data, according to a newly released report from McAfee. Since 2009, perpetrators employed a "sophisticated military-spying network" that leveraged malware to locate and steal documents with keywords such as "U.S. army," "north," "weapon," and "defense" in their titles, according to the company.

Although McAfee has linked the most recent attacks, dubbed Dark Seoul, to two separate hacker groups -- New Romantic Cyber Army Team and the Whois Hacking Team -- the company hasn't determined whether they were state-sponsored. McAfee analysts, however, noted it has "linked other high-profile public campaigns conducted over the years against South Korea to Operation Troy, suggesting that a single group is responsible."

South Korea has accused North Korea of backing cyber attacks but hasn't made public any hard evidence linking its neighbor to the campaigns. North Korea has denied any involvement.

The inner workings of Operation Troy

Perpetrators have carried out Operation Troy using "a sophisticated military spying network targeting South Korea that has been in operation since 2009. Our analysis shows this network is connected to the Dark Seoul incident," according to the report. "Furthermore, we have also determined that a single group has been behind a series of threats targeting South Korea since October 2009. In this case the adversary had designed a sophisticated encrypted network designed to gather intelligence on military networks."

The network, according to McAfee, was designed to camouflage communications between Trojan-infected systems and control servers via the Microsoft Cryptography API using RSA 128-bit encryption. "Everything extracted from these military networks would be transmitted over this encrypted network once the malware identified interesting information," according to the report. "What makes this case particularly interesting is the use of automated reconnaissance tools to identify what specific military information internal systems contained before the attackers tried to grab any of the files."

The attacks worked thusly: The attackers would compromise a target system via a waterhole attack, then exploit the internal systems. Initially, perpetrators place a zero-day exploit on a military social networking site; in later cases, they likely used spear phishing tactics.

From there, the installed malware would automatically perform recon on target systems, searching out documents of interest. The malware was also capable of scraping passwords, registry information, and directory listings of interesting files. The attackers could request directory contents from infected systems and grab whichever files they deemed worthy. Those files were transmitted via an HTTP-encrypted channel to the attacker's server.

Beyond stealing files, the espionage malware is capable of destroying systems "in the same way that the March 20, 2013, attacks disabled thousands of systems in South Korea," according to the report. "This capability could be devastating if military networks were to suddenly be wiped after an adversary had gathered intelligence. This was clearly the case with the March 20 Dark Seoul incident, in which we confirmed that the 3Rat Trojan gained access prior to the MBR-wiping event."

Operation Troy's targets

The malware used in these attacks were compiled to specifically target South Korea and used Korean-language resources in the binaries. The malware connected to legitimate Korean domains that were running a bulletin board and sent a specific command to a PHP page to establish an IRC channel and receive commands.

McAfee found that the initial malware code used in Operation Troy code was created in 2010 and has undergone upgrades since. "The malware used in these attacks were compiled to specifically target South Korea and used Korean-language resources in the binaries," according to the report. "The malware connected to legitimate Korean domains that were running a bulletin board and sent a specific command to a PHP page to establish an IRC channel and receive commands."

This article, "McAfee uncovers massive cyber espionage campaign against South Korea," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow InfoWorld.com on Twitter.

Join the discussion
Be the first to comment on this article. Our Commenting Policies