Anatomy of a cunning APT: the SK Communications breach

How hackers turned a patch server into an attack vector.

The hackers that breached South Korean SK Communications in July, gaining access to 35 million Nate and CyWorld social network users, executed a cunning attack that relied on compromised infrastructure spanning several countries.

Unlike the attack on RSA, which fooled staff with a socially engineered email containing an Excel attachment, SK Communications’ attackers targeted its third party software provider before moving up the chain to more valuable resources, according to a detailed analysis by Australian IT firm Command Five. 

The attackers, believed to have conducted their attack from Chinese IP addresses, had compromised SK Communication’s update server as its reached out to its supplier for a routine check up, according to the analysis, effectively turning the company’s security procedures into a vulnerability.

An analysis of the malware “nateon.exe” which launched the remote access tool (RAT) that was used to actually acquire the personal details of 35 million Nate and CyWorld users, had been compiled from source code over 6 months prior to its use on SK Communications.

“The RAT can not only access and query databases but can also enumerate the networks to which the infected computer is connected, set up network connections, modify the registry, lock the workstation's screen, control processes and services running on the computer, download files, create files, take screenshots and shutdown, reboot or log out of the computer,” according to Command Five.

Before this tool was used however, the attackers had first gained access to the update server of one of SK Communication’s software suppliers, South Korean software and security company ESTsoft, which makes a file compression product ALZip that is part of its ALTools suite, including its ALYac antivirus software.

While the security of ALYac itself was not compromised, the breach of its systems meant that when SK Communications servers did its check for ALTools updates, it was redirected to the attackers Content Delivery Network and delivered a trojan instead of picking up ESTsoft’s patches.

The trojan exploited a flaw in ALTools Common Module Update application, according to Command Five.

In total 60 SK Communications computers were compromised via the trojanised update, which then dropped a backdoor ‘Backdoor.Agent.Hza’  on to the computers, giving the attackers access to SK Communication’s network.

During a seven day period between 18 July and 25 July the attackers gathered additional database credentials, using a toolbox that had been located on the web server of a presumably hacked Taiwanese publisher, Cite Media. 

Key lessons drawn from the analysis were that attackers may use targets as, such as ESTsoft as a launchpad, or as a diversionary “waypoint” as in the case of Cite Media, to deflect attention away from the attackers own infrastructure. 

Join the CSO newsletter!

Error: Please check your email address.

Tags hackersShady RATsecuritySouth Korean SK Communicationsmalwarersa

More about APTetworkExcelRSASK

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place