South Korea Attackers ‘Pierced Military Networks’

Attackers who pummelled TV stations and banks in South Korea earlier this year have been hunting for military secrets since 2009 and managed to get malware on military systems, according to security firm McAfee.

A group known as the New Romantic Cyber Army appears to be the source of the attacks, which came to light in March when malware wiped systems at well-known South Korean institutions. Officials in South Korea subsequently claimed the hits likely emanated from North Korea.

The attackers have previously been known as Dark Seoul, whilst McAfee believes the Whois Team is part of the same gang. The firm said the multiple claims of responsibility have acted as a decoy – a single group is almost certainly behind the hits.

South Korea attacks

As Symantec claimed last month, McAfee believes the group has been operating since 2009. But the Intel-owned firm has revealed details from a more in-depth report, calling it Operation Troy because of references to the ancient city found in the attack code.

The “long-term domestic spying operation” and “covert espionage campaign” has seen various malware in use, the most recent being the Concealment Troy remote access Trojan (RAT), which was released in January 2013.

The New Romantic Cyber Army sought to penetrate military networks and McAfee said it had done so successfully.

“In this case the adversary had designed a sophisticated encrypted network designed to gather intelligence on military networks. We have confirmed cases of Trojans operating through these networks in 2009, 2010, 2011 and 2013,” the report read.

However, a South Korean official told the Associated Press said it was impossible military secrets were pilfered as such data was not stored on systems connected to the Internet.

Super skilled attackers

Tools were able to identify what kinds of military information sat on target machines before the attackers decided to pilfer it. They did so by scanning for specific file extensions and keywords in documents, all of them military specific.

The hackers used encryption throughout the data extraction process and across their own network to hide their communications. “The attackers’ encrypted network uses Microsoft’s Cryptography API library Version 1.0 to encrypt communication channels to the control servers over both HTTP and IRC. The encryption uses a 128-bit RSA key.”

They initially compromised targets either with emails containing links to malware or with watering-hole attacks, lacing websites with malicious code to get malware at victims’ machines. In one case in 2009, they were able to get a zero-day exploit on a military social network.

The Cyber Army ran their own network over both HTTP and used IRC as secondary channel to infected systems that were part of their botnet.

“The espionage malware has the capability to destroy systems in the same way that the March 20, 2013, attacks disabled thousands of systems in South Korea,” McAfee’s report noted.

“This capability could be devastating if military networks were to suddenly be wiped after an adversary had gathered intelligence.”

It was claimed last month that data on 40,000 US troops and over two million South Korean ruling party workers were stolen by the same hackers who hit media bodies and financial institutions in March.

Are you a security expert? Try our quiz!