According to McAfee Labs, however, Dark Seoul is notable for another reason: it can be linked back to an ongoing, persistent operation against South Korea known as Operation Troy, which has been targeting the world’s most wired nation since at least 2009. And, the threat appears to come from within.
“McAfee Labs can connect the Dark Seoul and other government attacks to a secret, long-term campaign that reveals the true intention of the Dark Seoul adversaries: attempting to spy on and disrupt South Korea’s military and government activities,” the security firm noted in a white paper dissecting the issue.
“The attackers have attempted since 2009 to install the capability to destroy their targets using an MBR wiper component, as seen in the Dark Seoul incident. From our analysis we have established that Operation Troy had a focus from the beginning to gather intelligence on South Korean military targets. We have also linked other high-profile public campaigns conducted over the years against South Korea to Operation Troy, suggesting that a single group is responsible.”
Aside from the obvious reference to trojan viruses, the term “Operation Troy” has been given to the campaign because of a liberal sprinkling of Roman and Trojan terms throughout the attack code, which McAfee said most likely points to a group called the NewRomanic Cyber Army Team as the perpetrators.
The latest attacks managed to create a significant disruption of ATM networks in South Korea, while denying access to funds. But in addition to wiping the MBR to render systems unusable, creating an instant slowdown to operations within the target, Operation Troy is also focused on stealing and holding data hostage and announcing the theft in an Anonymous-style hacktivist approach.
“Public news media have reported only that tens of thousands of computers had their MBRs wiped by the malware,” McAfee said. “But there is more to this story: The main group behind the attack claims that a vast amount of personal information has been stolen. This type of tactic is consistent with Anonymous operations and others that fall within the hacktivist category, in which they announce and leak portions of confidential information.”
McAfee uncovered that in 2011, one of the same financial institutions was hit with destructive malware that caused a denial of service. “The attackers left a calling card a day after the attacks in the form of a web pop-up message claiming that the NewRomanic Cyber Army Team was responsible and had leaked private information from several banks and media companies,” the firm said, noting that they also referenced destroying the data on a large number of machines (i.e., MBR wiping).
The attackers who conducted the operation remained hidden for a number of years prior to the March 20 incident by using a variety of custom tools. While analyzing malware components from before the March 20 incident, McAfee found both similar and identical attributes of the files involved that link them to the 3Rat remote administration tool client used on March 20, as well as to samples dating to 2010. The firm said that it’s also possible that the campaign known as 10 Days of Rain is a byproduct of Operation Troy; some of the analysis suggests that the malware Concealment Troy was present in these attacks.
“This spying operation had remained hidden and only now has been discovered through diligent research and collaboration,” McAfee noted. “We also suspect the attackers had knowledge of the security software running within the environment before they wiped the systems, given that some of the variants used in the attack were made to look as if they were antimalware update files from before March 20.”
In all, McAfee’s investigation found a long-term domestic spying operation underway since at least 2009, all based on the same code, attempting to infiltrate specific South Korean targets.
“Typically this sort of advanced persistent threat (APT) campaign has targeted a number of sectors in various countries, but Operation Troy, as these attacks are now called, targets solely South Korea,” it noted. “From our analysis of unique attributes within the malware samples we have determined that…the malware used in these attacks were compiled to specifically target South Korea and used Korean-language resources in the binaries. The malware connected to legitimate Korean domains that were running a bulletin board and sent a specific command to a PHP page to establish an IRC channel and receive commands.”