South Korean cyber attacks part of a four-year campaign of espionage - McAfee

McAfee claims 'New Romanic Cyber Army Team' likely behind four-year cyber campaign

A high-profile cyber attack on government and business PCs in South Korea in March 2013 was not an isolated incident, but was instead the culmination of a four-year-long cyber espionage campaign, claims Intel-owned security software McAfee.

"Our analysis of this attack - known first as Dark Seoul and now as Operation Troy - has revealed that in addition to the data losses of the MBR [master boot record] wiping, the incident was more than cyber-vandalism. The attacks on South Korean targets were actually the conclusion of a covert espionage campaign," claims McAfee's report.

It continues: "Public reports covering what is known as the Dark Seoul incident, which occurred on 20 March 2013, addressed only the MBR wiper components. Many of the details of this incident have been examined, and most analysts conclude this was an isolated, though clearly coordinated, attack.

"However, McAfee Labs has found that there was more to the incident than what was widely reported. Our analysis has revealed a covert espionage campaign. Typically this sort of advanced persistent threat (APT) campaign has targeted a number of sectors in various countries, but Operation Troy, as these attacks are now called, targets solely South Korea.

"Our investigation into Dark Seoul has found a long-term domestic spying operation under way since at least 2009. The operation, all based on the same code, has attempted to infiltrate specific South Korean targets. We call this Operation Troy, based on the frequent use of the word "Troy" in the compile path strings in the malware."

It believes that the "prime suspect" group behind the attacks is the New Romanic Cyber Army Team, because of the similarity in the use of terms by the group and terms that cropped up in the code they used during their campaign.

The vector for the attacks was a botnet of compromised South Korea-based websites hosting IRC servers. The infected clients communicated with the IRC servers use RSA encryption and used functions imported from the Microsoft Cyptography API library, claims McAfee.

Once compromised information had been identified, it was communicated via the encrypted network the attackers had put together.

"We have confirmed cases of Trojans operating through these networks in 2009, 2010, 2011, and 2013... This [encrypted] network was designed to camouflage all communications between the infected systems and the control servers... Everything extracted from these military networks would be transmitted over this encrypted network once the malware identified interesting information.

"What makes this case particularly interesting is the use of automated reconnaissance tools to identify what specific military information internal systems contained before the attackers tried to grab any of these files." claims McAfee.

The report details how the attackers conducted reconnaissance and categorised systems and the information that they contained before they would return to collect and copy data.

The research was carried out by Ryan Sherstobitoff, a threats researcher with McAfee Labs and formerly chief security strategist at Panda Security; Itai Liba, a senior security researcher at McAfee; and, James Walter, director of Global Threat Intelligence Operations at McAfee.