IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

South Korean companies attacked by data wiping malware

Motive behind hack still a mystery

Security companies have pinpointed malware responsible for a major hack in South Korea that wiped computers in several organisations.

Networks in two major banks and three television stations bore the brunt of the attacks by malware dubbed DarkSeoul. The hack lefts computer unable to boot up as the malware wiped the PCs' Master Boot Record (MBR). The attack also affected internet banking and cash machines at Shinhan Bank while broadcasters KBS, MBC and YTN barely managed to keep to schedules as computers were left unable to operate.

The finger of blame has been pointed to North Korea for the attack, although no evidence has been found to support this.

Analysis of the malware by IT security firm AlienVault found that it was "a very simple piece of code that overwrites the MBR (Master Boot Record) making the affected system unable to start after reboot."

Jaime Blasco, Labs Director at AlienVault said that other companies have published information about the wiper payloads but no one is giving information about how the attackers gained access to the affected networks.

"To execute the payload the attackers would have had to gain access to the companies somehow and execute the wiping routine at the same time in the affected computer," he said.

"If the goal of the attackers was to create panic it means they did not have a specific list of victims."

Blasco added that one of the easiest ways to gain access to several targets without having too much resources/skills would be to buy an exploit kit and a malware kit, hack into websites and redirect victims to your malicious infrastructure "or even better rent a botnet(s) that have access to hundreds of computers and try to find victims inside interesting targets."

Symantec dubbed the same malware as the "Jokra Trojan" and said in a separate analysis that it contained a module that could wipe Linux machine as well as Windows.

It said in a blog post that while there were currently no indications of the source of this attack or the motivations behind it, "it may be part of either a clandestine attack or the work of nationalistic hacktivists taking issues into their own hands."

According to a Reuters report, LG U+, the company providing internet connectivity to some of the companies affected, says that it believed its network was hacked.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Over 200,000 DrayTek routers vulnerable to total device takeover
Security

Over 200,000 DrayTek routers vulnerable to total device takeover

3 Aug 2022
Data on 69 million Neopets users stolen and listed for sale on hacker forum
Security

Data on 69 million Neopets users stolen and listed for sale on hacker forum

21 Jul 2022
HackerOne employee fired for using position to steal bug bounties
Security

HackerOne employee fired for using position to steal bug bounties

4 Jul 2022
LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Samsung proposes 11 Texas semiconductor plants worth $191 billion
Hardware

Samsung proposes 11 Texas semiconductor plants worth $191 billion

21 Jul 2022
Should you take your password manager off the internet?
Sponsored

Should you take your password manager off the internet?

28 Jul 2022