South Korean companies attacked by data wiping malware

22 Mar, 2013

Motive behind hack still a mystery

Security companies have pinpointed malware responsible for a major hack in South Korea that wiped computers in several organisations.

Networks in two major banks and three television stations bore the brunt of the attacks by malware dubbed DarkSeoul. The hack lefts computer unable to boot up as the malware wiped the PCs' Master Boot Record (MBR). The attack also affected internet banking and cash machines at Shinhan Bank while broadcasters KBS, MBC and YTN barely managed to keep to schedules as computers were left unable to operate.

The finger of blame has been pointed to North Korea for the attack, although no evidence has been found to support this.

Analysis of the malware by IT security firm AlienVault found that it was “a very simple piece of code that overwrites the MBR (Master Boot Record) making the affected system unable to start after reboot."

Jaime Blasco, Labs Director at AlienVault said that other companies have published information about the wiper payloads but no one is giving information about how the attackers gained access to the affected networks.

"To execute the payload the attackers would have had to gain access to the companies somehow and execute the wiping routine at the same time in the affected computer," he said.

"If the goal of the attackers was to create panic it means they did not have a specific list of victims."

Blasco added that one of the easiest ways to gain access to several targets without having too much resources/skills would be to buy an exploit kit and a malware kit, hack into websites and redirect victims to your malicious infrastructure "or even better rent a botnet(s) that have access to hundreds of computers and try to find victims inside interesting targets."

Symantec dubbed the same malware as the "Jokra Trojan" and said in a separate analysis that it contained a module that could wipe Linux machine as well as Windows.

It said in a blog post that while there were currently no indications of the source of this attack or the motivations behind it, "it may be part of either a clandestine attack or the work of nationalistic hacktivists taking issues into their own hands."

According to a Reuters report, LG U+, the company providing internet connectivity to some of the companies affected, says that it believed its network was hacked.