Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Aftermath of the South Korean cyber attacks

Guillaume Lovet | March 26, 2013
Just what happened during the South Korean cyber attacks and how bad was it?

Q: What happened?

Several South Korean financial institutions and TV broadcaster networks were impacted by a destructive virus, which wiped the hard drives of infected computers, preventing them from booting up upon restart. The affected organisations are:

  • Financial institutions: Shinhan Bank, Nonghyup Bank and Jeju Bank
  • TV stations: Munhwa Broadcasting Corp (MBC), YTN and Korea Broadcasting System (KBS)

Fortinet's investigations into the attacks showed that the affected organisations in South Korea were using anti-virus software from local security vendors.

This malware, a Trojan-like virus, has been set to activate on 20 March 2013 at 14:00 hrs Korea time on the infected PCs, like a time bomb.

Q: Is this a serious threat?

The attacks are very targeted, so unless you are a Korean bank or a Korean TV network, you would not be affected.

The actual impact of the attacks so far remains relatively unknown. Although it was informally reported that ATMs were impacted (it was not clear exactly how), TV broadcasts appeared unaffected to viewers. As of now, there were also no complaints from customers of the affected banks.

We will therefore have to wait for a disclosure from the victim banks (which may or may not happen, possibly for political reasons), to know the true extent of the damage caused.

Q: North Korea did it, right?

The timing (NATO had just tightened sanctions on North Korea) and the political situation make it tempting to assume North Korea did it. However, not a single factual element has pointed to that direction so far.

Some C&C channels possibly involved in the wiper attack were registered by individuals with ties to other sites hosting typical Chinese exploit packs, but this is no indication that the Chinese are responsible.

Q: How did the virus get there in the first place?

We do not know for sure. Our knowledge of the cyber crime scene makes us favour the hypothesis that the affected networks were already part of one or several casual botnets, and that the attackers just purchased from the botnet owners the right to install their wiper malware.

Working with the Korea Information Security Association (KISA), Fortinet found evidence that the attacks were prepared way beforehand. The attackers were trying to infect as many systems as they could prior to the 20 March 14:00 hrs deadline. Then, at that time, everything would be destroyed in unison. The entire scheme was clearly thought-out and premeditated.

Guillaume Lovet is senior manager, FortiGuard Labs Threat Response Team, Fortinet.


Sign up for MIS Asia eNewsletters.