‘Dark Seoul’ attack points to sophisticated cyberspying on S Korea, US militaries

A cyberattack waged against Seoul this year has put Web security firms on the trail of a malicious code first spotted in 2007 that seems to be directed at spying on US forces in South Korea and the South’s forces that officials say have been traced back to Pyongyang

By Yonkyung Lee and Martha Mendoza  /  AP, SEOUL and SAN JOSE, California

Thu, Jul 11, 2013 - Page 9

The hackers who knocked out tens of thousands of South Korean computers simultaneously this year are out to do far more than erase hard drives. They are trying to steal South Korean and US military secrets with a malicious set of codes that they have been sending through the Internet for years, cybersecurity firms say.

The identities of the hackers, and the value of any information they have acquired, are not known to US and South Korean researchers who have studied line after line of computer code. However, they do not dispute South Korean claims that North Korea is responsible and other experts say the links to military spying add fuel to Seoul’s allegations.

Researchers at Santa Clara, California-based McAfee Labs said the malware was designed to find and upload information referring to US forces in South Korea, joint exercises or even the word “secret.” McAfee said versions of the malware have infected many Web sites in an ongoing attack that it calls Operation Troy because the code is peppered with references to the ancient city. McAfee said that in 2009, malware was implanted into a social media Web site used by military personnel in South Korea.

“This goes deeper than anyone had understood to date and it’s not just attacks: It’s military espionage,” said Ryan Sherstobitoff, a senior threat researcher at McAfee who gave The Associated Press a report that the company is releasing later this week.

He analyzed code samples shared by US government partners and private customers.

McAfee found versions of the keyword-searching malware dating to 2009. South Korean cybersecurity researcher Simon Choi found versions of the code as early as 2007, with keyword-searching capabilities added in 2008. It was made by the same people who have also launched cyberattacks in South Korea over the past several years, Choi said.

Versions of the code may still be trying to glean military secrets from infected computers. Sherstobitoff said the same coded fingerprints were found on an attack on June 25 — the anniversary of the start of the 1950 to 1953 Korean War — in which Web sites for South Korean President Park Geun-hye and South Korean Prime Minister Jung Hong-won were attacked. A day later, the Pentagon said it was investigating reports that personal information about thousands of US troops in South Korea had been posted online.

Sherstobitoff began his investigation after the March 20 cyberattack, known as the Dark Seoul Incident. It wiped clean tens of thousands of hard drives, including those belonging to three television networks and three banks in South Korea, disabling ATMs and other bank services. South Korea says no military computers were affected by Dark Seoul.

The code used in the shutdown is different from that used to hunt for military secrets, but they share so many characteristics that Sherstobitoff and Choi believe they were made by the same people.

Sherstobitoff said those responsible for the spying had infected computers by “spear phishing” — targeted attacks that trick users into giving up sensitive information by posing as a trusted entity. The hackers hijacked about a dozen obscure Korean-language religious, social and shopping Web sites to pull secrets from infected computers without being detected.

The McAfee expert said the hackers have targeted government networks with military information for at least four years, using code that automatically searched infected computers for dozens of military terms in Korean, including “US Army,” “secret,” “Joint Chiefs of Staff” and “Operation Key Resolve,” an annual military exercise held by US Forces Korea and the South Korean military.

The report does not identify the government networks that were targeted, but does mention that in 2009, the code was used to infect a social media site used by military personnel living in South Korea. McAfee did not name the military social media site, nor release what language it is in, at the request of US authorities, who cited security issues. South Korea has a military force of 639,000 people and the US has 28,500 military personnel based in the country.

McAfee also said it listed only some of the keywords the malware searched for in its report. It said it withheld many other keywords that indicated the targeting of classified material, at the request of US officials, due to the sensitivity of releasing specific names and programs.

“These included names of individuals, base locations, weapons systems and assets,” Sherstobitoff said.

Choi has made similar discoveries through IssueMakersLab, a research group he and other “white-hat” hackers created.

Results of a report Choi produced were published in April by Boan News, a Seoul-based Web site focused on South Korean security issues, but they did not get broad attention. That report included many search terms not targeted in the McAfee report, including the English-language equivalents of Korean keywords.

Both McAfee and IssueMakersLab found that any documents, reports and even PowerPoint files with military keywords on infected computers would have been copied and sent back to the attackers.

The attackers are also able to erase hard drives en masse by uploading malware and sending remote-control commands, which is what happened on March 20.

Before that attack, hackers had been sending spy malware on domestic networks for months, giving them the ability to gather information about how their internal servers work, what Web sites the users visit and which computers are responsible for security, the researchers found. This information would have been crucial for planning the coordinated attacks on banks and TV networks.

Anti-virus software and safe practices such as avoiding links and attachments on suspicious e-mails can prevent computers from infection, but the March attack shows how difficult this can be to accomplish on a broad scale. Ironically, some of the malicious codes used were disguised as an anti-virus product from Ahnlab Inc, South Korea’s largest anti-virus maker, McAfee said.

McAfee said it shared its findings with US authorities in Seoul who are in close collaboration with South Korean military authorities.

Tim Junio, who studies cyberattacks at Stanford University’s Center for International Security and Cooperation, said the McAfee report provides “pretty compelling evidence that North Korea is responsible” for the attacks in the South by tying the series of hacks to a single source and by showing that users of a military social media site were targeted.

There are clues in the code as well. For example, a password, used over the years to unlock encrypted files, had the number 38 in it, a politically loaded figure for two countries divided on the 38th parallel, security experts said.

Pentagon spokesman Army Lieutenant Colonel James Gregory said the US Department of Defense looks forward to reviewing the study.

“The Defense Department takes the threat of cyberespionage and cybersecurity very seriously, which is why we have taken steps to increase funding to strengthen capabilities and harden networks to mitigate against the risk of cyberespionage,” he said.

The South Korean Ministry of Defense says its secrets are safe. Ministry spokesman Kim Min-seok said officials were unaware of McAfee’s study, but added that it is technically impossible to have lost classified reports because computers with military intelligence are not connected to the Internet. When accessing the Web, military officials use different computers disconnected from the internal military server, he said.

A hack of sensitive South Korean military computers from the Internet “cannot be done,” Kim said. “It’s physically separated.”

However, Sherstobitoff said it can be done, though he is not sure that it has been.

“While it is not entirely impossible to extract information from a closed network that is disconnected from the Internet, it would require some extensive planning and understanding of the internal layout to stage such an exfiltration to the external world,” he said.

Kwon Seok-chul, chief executive officer of Seoul-based cybersecurity firm Cuvepia Inc, said recent hacking incidents suggest hackers may have enough skills to infiltrate the internal servers of South Korean and US military. Even if two networks are separated, hackers will do anything to find some point where they converge, he said. “It takes time, but if you find the connection, you can still get into the internal server.”

FBI Assistant Director Richard McFeely would not comment on McAfee’s findings, but said in a written statement that “such reports often give the FBI a better understanding of the evolving cyberthreat.”

Neither the McAfee nor the IssueMakersLab reports say who is responsible for the cyberattacks, but many security experts believe North Korea is the likely culprit.

South Korean authorities have blamed the North for many cyberattacks on its government and military Web sites they linked the March 20 attacks to at least six computers in North Korea that were used to distribute malicious codes.

Several calling cards were left behind after the March attack, taunting victims. Two different and previously unknown groups separately took credit: The “Whois Hacking Team” posted pictures of skulls and a warning, while the “NewRomanic Cyber Army Team” said it had leaked private information from banks and media organizations.

“Hi, Dear Friends, We now have a great deal of personal information in our hands,” one such note said.

However, McAfee said that claim, and others — including tweets and online rumors claiming credit for prior attacks — were meant to mislead the public and investigators, covering up the deeper spying program.

James Lewis, a senior fellow at the Center for Strategic and International Studies, said the attack is far more skillful and took place over a much longer period than was previously thought.

“I used to joke that it’s hard for the North Koreans to have a cyberarmy because they don’t have electricity, but it looks as if the regime has been investing heavily in this,” Lewis said. “Clearly this was part of a larger effort to acquire strategic military information and to influence South Korean politics.” North Korean leader Kim Jong-un has made computer use and the importance of developing the information technology sector hallmarks of his reign, devoting significant state resources toward science and technology. Though much of the country lacks steady electricity, a massive hydroelectric power station keeps the capital and state computer centers humming.

North Korean officials insist the emphasis on cyberwarfare is on protecting North Korea from cyberattacks, not waging them, but there is widespread suspicion that resources are also being poured into training scores of cyberwarriors as well.

Relatively few North Koreans are allowed to access the Internet — especially when compared to the South’s hyper-wired society — but it too has seen its computer systems paralyzed by cyberattacks. Pyongyang blames the US and South Korea and has warned of “merciless retaliation.”