Cyberspying targeted South Korea, US military
By Youkyung Lee and Martha Mendoza, AP, Jul 8, 2013
SEOUL, South Korea (AP)—The hackers who knocked out tens of thousands of South Korean computers simultaneously this year are out to do far more than erase hard drives, cybersecurity firms say: They also are trying to steal South Korean and U.S. military secrets with a malicious set of codes they’ve been sending through the Internet for years.
The identities of the hackers, and the value of any information they have acquired, are not known to U.S. and South Korean researchers who have studied line after line of computer code. But they do not dispute South Korean claims that North Korea is responsible, and other experts say the links to military spying add fuel to Seoul’s allegations.
Researchers at Santa Clara, California-based McAfee Labs said the malware was designed to find and upload information referring to U.S. forces in South Korea, joint exercises or even the word “secret.”
McAfee said versions of the malware have infected many websites in an ongoing attack that it calls Operation Troy because the code is peppered with references to the ancient city. McAfee said that in 2009, malware was implanted into a social media website used by military personnel in South Korea.
"This goes deeper than anyone had understood to date, and it’s not just attacks: It’s military espionage," said Ryan Sherstobitoff, a senior threat researcher at McAfee who gave The Associated Press a report that the company is releasing later this week. He analyzed code samples shared by U.S. government partners and private customers.
McAfee found versions of the keyword-searching malware dating to 2009. A South Korean cybersecurity researcher, Simon Choi, found versions of the code as early as 2007, with keyword-searching capabilities added in 2008. It was made by the same people who have also launched prior cyberattacks in South Korea over the last several years, Choi said.
Sherstobitoff began his investigation after the March 20 cyberattack, known as the Dark Seoul Incident. It wiped clean tens of thousands of hard drives, including those belonging to three television networks and three banks in South Korea, disabling ATMs and other bank services. South Korea says no military computers were affected by Dark Seoul.
The code used in the shutdown is different from that used to hunt for military secrets, but they share so many characteristics that Sherstobitoff and Choi believe they were made by the same people.
Sherstobitoff said those responsible for the spying had infected computers by “spear phishing”—targeted attacks that trick users into giving up sensitive information by posing as a trusted entity. The hackers hijacked about a dozen obscure Korean-language religious, social and shopping websites to make it easier to pull secrets from infected computers without being detected.
The McAfee expert said the hackers have targeted government networks with military information for at least four years, using code that automatically searched infected computers for dozens of military terms in Korean, including “U.S. Army,” “secret,” “Joint Chiefs of Staff” and “Operation Key Resolve,” an annual military exercise held by U.S. Forces Korea and the South Korean military.
The report does not identify the government networks that were targeted, but it does mention that in 2009, the code was used to infect a social media site used by military personnel living in South Korea. McAfee did not name the military social media site, nor release what language it is in, at the request of U.S. authorities who cited security issues. South Korea has a military force of 639,000 people, and the U.S. has 28,500 military personnel based in the country.
Anti-virus software and safe practices such as avoiding links and attachments on suspicious emails can prevent computers from getting infected, but the March attack shows how difficult this can be to accomplish on a broad scale. Ironically, some of the malicious codes used were disguised as an anti-virus product from Ahnlab Inc., South Korea’s largest anti-virus maker, said McAfee.
South Korean authorities have blamed the North for many cyberattacks on its government and military websites and have said they linked the March 20 attacks to at least six computers located in North Korea that were used to distribute malicious codes.
James Lewis, a senior fellow at the Center for Strategic and International Studies, said the attack is far more skillful and took place over a much longer period than was previously thought.
"I used to joke that it’s hard for the North Koreans to have a cyber army because they don’t have electricity, but it looks as if the regime has been investing heavily in this," said Lewis. "Clearly this was part of a larger effort to acquire strategic military information and to influence South Korean politics."