Corporate Partners

South Korea hit by disk wiping attack blamed on 'DarkSeoul' gang

Cyberwar, Pyongyang style

South Korea has come under attack from a vicious new disk wiping Trojan that is almost certainly part of a long-term campaign against organisations in the country, Symantec has said.

The new Trojan, named 'Korhigh' by the firm's researchers, is similar to the 'Jokra' Trojan that hit the country in March in that it attempts to delete system files and render a Windows PC unbootable by overwriting the Master Boot Record (MBR). Korhigh also targets data files.

Unlike Jokra, however, the new Trojan doesn't appear to have had anything like the same success, probably because it is a fairly crude piece of malware with low distribution. Defences have also been tightened up since the earlier attacks.

Symantec hasn't pinned the blame for the malware on any particular agency but the suspicion will fall squarely on North Korea and one hacking group in particular, the so-called 'DarkSeoul' gang.

Previously shadowy, the gang was earlier this week connected by Symantec to a four-year long series of obsessive-compulsive attacks on South Korean and US targets, often on significant dates in the calendar. This includes a DDoS attack timed to coincide with the 63rd anniversary of the start of the Korean War on 25 June.

Disk wiping is a speciality of the group. In the March attack, South Korea came under one of the most sustained multi-stage attacks ever experienced by a single country, which included infecting 50,000 PCs in media organisations with the Jokra disk wiper.

"Conducting DDoS attacks and hard disk wiping on key historical dates is not new for the DarkSeoul gang. They previously conducted DDoS and wiping attacks on the United States Independence Day as well," noted Symantec's blog.

"Cybersabotage attacks on a national scale have been rare - Stuxnet and Shamoon are the other two main examples. However, the DarkSeoul gang is almost unique in its ability to carry out such high-profile and damaging attacks over several years."

On the assumption that North Korea is behind the attacks, they now look like part of a much larger campaign of nuisance attacks designed to manufacture the the sense of conflict that seems so important to its totalitarian rulers. Symantec said they expected the attacks would carry on for the foreseeable future.

Join the CSO newsletter!

Error: Please check your email address.

Tags symantecsecurity

More about Symantec

Comments

Comments are now closed

Market Place