South Korean Media and Banks under Cyberattack
Update March 22, 2013 18:00 (UTC+9): New information from the Korean Communications Commission (KCC) said that the earlier report connecting attacks to a Chinese IP address was wrong. Instead the IP address was used by an employee of Nonghyup bank. Reports claim that Shinhan and Jeju banks are fully operational, Nonghyup is partially recovered and the broadcasters are only about 10% recovered. Also it appears that 20% of Nonghyup ATMs are still offline after the attack. There’s an interesting first-hand account of the events from a MBC employee.
On March 20, 2013, several banking and media sites in South Korea came under attack. The attacks knocked critical systems offline at banks and media outlets. Initial suspicion pointed the finger at North Korean government, but it now appears that a hacking group may be behind the attacks. Reports are still coming in and some details may change as better understanding is gained. We will update the situation as it evolves.
At approximately 2:20PM in Seoul, computers at three media outlets - KBS, MBC, YTN – and two banks – Shinhan and Nonghyup – froze or rebooted. The banks’ ATM networks were affected, and companies using them for processing credit cards reverted to cash-only transactions. At the media outlets the computer problems did not prevent television broadcasts, but many employees were unable to use their computers. It’s estimated that an estimated 32,000 computers were infected with destructive malicious software.
Many of these computers – maybe all of them – will not come back online without lots of work. The malicious software is reported to make all the data inaccessible, either by deleting it directly or by destroying the Master Boot Record (MBR) – the table of contents, so to speak. South Korean officials and people within the affected companies are largely calling these events a “network paralysis” rather than a cyberattack or a Distributed Denial of Service (DDOS).
There has been a suggestion that the attack may be related to suspicious files discovered last week that appear to target KBS and MBC. SBS, another Korean broadcaster, may have also been targeted but is not reported to have suffered damage yet. Some of the malware may have the ability to damage Unix systems as well as Windows.
The South Korean government has raised cyber alert status in the country. The South Korean Army has changed their INFOCON (Information Operations Condition) from 4 to 3, indicating higher threat of attack. The normal status is 5. The Korean Computer Emergency Response Team (KrCERT) changed their status from 2 to 3, reflecting a “substantial” risk of attack.
A subsidiary of the technology maker, LG, called U Plus provides Internet service to all of the affected organizations. It is not known whether this link is related to the attack or whether it is coincidental. Initial reports claimed that U Plus claimed their systems were hacked - some stories quoting an unnamed spokesperson for the company and some attributing the information to social media posts claiming to be from an employee. CNBC quotes a U Plus spokesperson named Lee Jung-hwan as saying that no attacks were detected on their network. It may be that an attack on U Plus happened but was unrelated to the attacks against the media and banking companies.
There were likely several ways that the malicious software spread. Security systems detected and blocked the malware as it came through email. Analysis of the malicious code itself reveals a mechanism for spreading the malware within the affected companies through a Software Management Server used to distribute updates to computers. It is likely that multiple methods of propogation were used.
Initially most reports suggested that North Korea may be behind the attack. Yesterday Pyongyang derided the joint military actions of the US and South Korea and recent rhetoric from the North has been very aggressive. Last week North Korea suffered Internet outages, the cause of which are still not publicly known. But they claimed to be victims of a US and South Korean cyberattack. The South Korean government earlier claimed that the malicious code had been traced back to a location in China. However they have retracted the claim, saying that the data they had was misleading and the system was related to Nonghyup bank.
However, evidence is starting to emerge pointing to a hacking group called Whois Team. A website was posted by the group claiming to have stolen all the information and deleted it from the computers. At the moment no official reports from the US or Korean governments have identified the group they think is responsible for the attack. However Seoul has said no Korean government computers have been affected.
These aren’t the first cyberattacks on South Korean institutions. In 2009 DDOS attacks hit several companies, including the banks affected today. And in 2011 DDOS attacks again hit Seoul. However, these are different in that they are not tying up the Internet resources, but are knocking out computer systems in a way that will keep them offline for a while. Analysis of the malicious software revealed the word HASTATI – the first line of attack in the Roman army. A new variant appears to have been found with the word PRINCIPES embedded, which is the second of three waves in a Roman army.
The information above is all from press reports. But there is doubtless much more to the events than has been reported. Most of this is likely because of the confusion that surrounds the early stages of these kinds of events. We are going to try to do some analysis, but because of language and knowledge barriers in media reporting we may come up with some conclusions that aren’t quite right. We apologize in advance and will try to be conservative with our analysis. Here are our hypotheses.
This was not an APT. Several reports have suggested that this attack was perpetrated by an Advanced Persistent Threat (APT). We suspect that this attack is one that was targeted at the victims specifically, but that the techniques were not all that advanced. Truly advanced attackers typically do not destroy the assets they have taken control of within a week of breaking in. Instead, they try to remain undetected for months or years and take information or affect normal operations for some more strategic advantage.
This was probably not North Korea. Several reports have suggested that this attack was carried out by North Korea. We suspect that this is not the case. The value to North Korea is not in shutting the systems down, but in gaining intelligence from them. And if the attack were their doing, then the “skull” website would either be unrelated or a false flag. That doesn’t seem likely. Instead, we believe that this attack was carried out by a group of amateur hackers. The allusions to Roman army structure, however, may be a sign that this activity is a military action but it seems implausible that North Koreans would use a Roman term, given their level of nationalism. But it is entirely plausible that North Korea enticed the Whois Team to carry out the attack.
There may be a Middle-Eastern and North African connection. The type of malicious software used, called “wipers”, has been seen in other attacks. Two of these attacks highlighted by Kaspersky have a Middle-Eastern connection. The skulls image that the Whois Team used has also been used in other attacks against Middle Eastern targets by French-speaking Muslim groups Xrapt0r and Mauritania Hacking Team (links withheld). It’s too early to say if there is a link, but circumstantially it appears that there is. If there is a connection, it may be that the attackers were hired by others in order to cover their tracks. It is also possible that the link is a false flag, designed to throw investigators off.
The LG U Plus link is significant. We don’t believe it is a coincidence that the same service provider counted all of the victims as customers. There are hundreds of ways that an attacker could use this relationship to infect customers with malware. It may not be related to Internet services, but others such as desktop maintenance or server administration. It’s too early to say. But that link could be a red herring. It’s not clear to us whether LG U Plus provides services for other major Korean banks and media outlets or not. It may, in fact, be that LG U Plus is simply the largest Internet and Computer Services company in Korea and that everybody uses them.
This event will end up costing hundreds of millions of dollars. The way in which these computers were affected means there will likely have to be a lot of work that goes into fixing them. That means lost productivity – the largest cost – as well as time from the IT department and other cleanup costs. And there will doubtless be outside investigations to pay for, government oversight questions to answer and purchases made to prevent this kind of thing from happening again. The companies will undoubtedly lose revenue because of these attacks. And any data that isn’t backed up will be lost or will have to be recreated.
There may be more waves of attack. The second (PRINCIPES) variant found strengthens the case that the attacks will proceed in waves. As of yet it is not known if the second variant was a part of the first wave or whether it will cause an impact later. To complete the Roman military structure a third variant should be expected, using the word TRIARII.