report on the large scale cyber attacks against South Korea that appear to be linked to hackers also specialized in cyber espionage.
The attackers behind these recent attacks against South Korean infrastructure are skilled professionals and they designed a specialized malware to steal military secrets from the South Korea and US military networks.
The cyber espionage campaign dubbed as "Operation Troy", due the numerous references into the source code analyzed to the city. McAfee said that in 2009, malware was implanted into a social media website used by military personnel in South Korea
Ryan Sherstobitoff, a senior threat researcher at McAfee, started the investigation after the malware came into action in an attacks occurred on March 20th, known as the Dark Seoul Incident, in which tens of thousands of hard drives belongs to television networks and banks in South Korea were wiped completely.
Versions of the code may still be trying to glean military secrets from infected computers. Sherstobitoff said the same coded fingerprints were found on an attack June 25, the anniversary of the start of the 1950-53 Korean War - in which websites for South Korea's president and prime minister were attacked.
On June 26th the US Government announced that personal information about thousands of U.S. troops in South Korea had been exposed online.
The attackers infected victims with “spear phishing” attacks, the hackers also compromised about a dozen Korean-language religious, social and shopping websites to steal secret information from infected networks.
In the following image is proposed the timeline of the attacks:“This goes deeper than anyone had understood to date, and it’s not just attacks: It’s military espionage,” Sherstobitoff said.
Despite the malware used to wipe the disks during the recent attacks against Korean infrastructures is different from the one used for the cyber espionage campaign, but many similarities have been found between the source codes of both and this led to believe that they must be created by the same malware developer team.
Researchers highlighted that there are various clues in the malicious code which lead to the North Korea, for example the password used to unlock encrypted files contains the number 38 probably linked to "38th parallel" that separates the North from South Korea.
After previous attack, Two different and previously unknown groups separately took credit: The "Whois Hacking Team" posted pictures of skulls and a warning, while the "NewRomanic Cyber Army Team" said it had leaked private information from banks and media organizations.
Before that attack, hackers had been sending spy malware on domestic networks for months, giving them the ability to gather information about how their internal servers work, what websites the users visit and which computers are responsible for security, the researchers found. This information would have been crucial for planning the coordinated attacks on banks and TV networks.
It is still not clear that the exact amount of information stolen or the exact networks penetrated by attackers, but South Korean officially blamed North Korean state sponsored-hackers.
The Hackers espionage on government networks with military information for at least four years, using code that automatically searched infected computers for dozens of military terms in Korean, including “U.S. Army,” ‘’secret,” ‘’Joint Chiefs of Staff” and “Operation Key Resolve,” an annual military exercise held by U.S. Forces Korea and the South Korean military.
“These included names of individuals, base locations, weapons systems and assets,” revealed Sherstobitoff.
South Korea’s Defense Ministry announced that it’s technically impossible to disclose classified reports from military networks because the networks of the Korean Intelligence aren't connected to the Internet and the access to the Internet is made with different computers separated by the internal military infrastructure.
Hacking sensitive South Korean military computers from the Internet “cannot be done,” “It’s physically separated.” said the South Korean government representative.
North Korea has the highest percentage of military personnel in relation to population than any other nation in the world. It has approximately 40 enlisted soldiers per 1000 people with a considerable impact on the economy of the country. A defector has declared that North Korea has increased its cyber warfare unit to staff 3,000 people and it is massive training its young prodigies to become professional hackers.
The government of Pyongyang is massive investing in cyber warfare capabilities, recruiting and forming a high skilled team of hackers. The groups will could be engaged in offensive cyber operation against hostile government and in cyber espionage activities.
In spite of McAfee researchers haven’t indicated the origin of the attacks many security experts have no doubts about the nature of the offensive, North Korean state sponsored hackers appear as the main culprits.