McAfee: S. Korea major cyberattack part of 4-year spy op

The security vendor believes the March cyberattacks which hit banks and news agencies were part of a long term espionage campaign, dubbed "Operation Troy", aimed at stealing military and government data.

The cyberattacks against South Korean banks and news agencies which took place in March were part of a long-term, domestic covert operation called "Operation Troy", which was aimed at stealing sensitive military and government data, McAfee said.

The cyberattacks in South Korea on March 20, 2013 which reportedly affected 30,000 computers has since been dubbed "Dark Seoul".

Operation Troy's roots go back to 2009, where the Trojan's source code was first compiled and reached its culmination in March 2013 (Source: McAfee)
Main suspect: New Romanic Cyber Army Team

-Makes significant use of Roman terms in its codes

-Sometimes, the developers insert such fingerprints on purpose to establish "ownership" of a new threat.

-Such clues can be used to determine the original source and development legacy of a new "product".

While it remains unclear if the attacks were state-sponsored, the security vendor said in a report released Monday, the operation which had been going on since 2009, were conducted by two separate hacker groups--New Romanic Cyber Army Team and the Whois Hacking Team.

The attackers gang had infected PCs with a malware, the 3Rat Trojan, which automatically sought out documents of interest by scanning computers for military keywords in English and Korean, the report noted. Once the malware identified documents of interest, it encrypted those files and delivered them to the hackers' servers.

"This capability could be devastating if military networks were to suddenly be wiped after an adversary had gathered intelligence. This was clearly the case with the Dark Seoul incident, in which we confirmed that the 3Rat Trojan gained access prior to the master boot record (MBR) wiping event," the report said.

In March this year, a cyberattack launched against local Internet service provider, LG Uplus , resulted in server outages at three domestic broadcasters YTN, MBC, and KBS, as well as the Shinhan Bank and NongHyup Bank. The attacks were initially traced to an IP address in China but the Korea Communications Commission later corrected its assessment saying the malware came from a local origin.

McAfee's First Quarter 2013 threat report released in June also found South Korea along with two other Asian nations Hong Kong and Japan were home to Web threats such as spam, phishing e-mail and Web sites, botnets and servers hosting malicious content.

Show Comments