South Korea hit by disk wiping attack blamed on 'DarkSeoul' gang

Cyberwar, Pyongyang style

South Korea has come under attack from a vicious new disk wiping Trojan that is almost certainly part of a long-term campaign against organisations in the country, Symantec has said.

The new Trojan, named 'Korhigh' by the firm's researchers, is similar to the 'Jokra' Trojan that hit the country in March in that it attempts to delete system files and render a Windows PC unbootable by overwriting the Master Boot Record (MBR). Korhigh also targets data files.

Unlike Jokra, however, the new Trojan doesn't appear to have had anything like the same success, probably because it is a fairly crude piece of malware with low distribution. Defences have also been tightened up since the earlier attacks.

Symantec hasn't pinned the blame for the malware on any particular agency but the suspicion will fall squarely on North Korea and one hacking group in particular, the so-called 'DarkSeoul' gang.

Previously shadowy, the gang was earlier this week connected by Symantec to a four-year long series of obsessive-compulsive attacks on South Korean and US targets, often on significant dates in the calendar. This includes a DDoS attack timed to coincide with the 63rd anniversary of the start of the Korean War on 25 June.

Disk wiping is a speciality of the group. In the March attack, South Korea came under one of the most sustained multi-stage attacks ever experienced by a single country, which included infecting 50,000 PCs in media organisations with the Jokra disk wiper.

"Conducting DDoS attacks and hard disk wiping on key historical dates is not new for the DarkSeoul gang. They previously conducted DDoS and wiping attacks on the United States Independence Day as well," noted Symantec's blog.

"Cybersabotage attacks on a national scale have been rare - Stuxnet and Shamoon are the other two main examples. However, the DarkSeoul gang is almost unique in its ability to carry out such high-profile and damaging attacks over several years."

On the assumption that North Korea is behind the attacks, they now look like part of a much larger campaign of nuisance attacks designed to manufacture the the sense of conflict that seems so important to its totalitarian rulers. Symantec said they expected the attacks would carry on for the foreseeable future.

Tags: symantec, security

JP Morgan to invest £150 million on boosting cyber security

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Trend Micro Mobile Security

Comprehensive enterprise protection for mobile devices

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.