McAfee uncovers spying campaign behind Dark Seoul attack

Security vendor finds recent cyber attack was connected to a larger spying initiative

South Korea may have been hit by a major cyber attack on March 20, but the incident actually hid something more sinister, according to McAfee Labs.

Dubbed Dark Seoul, this online attack resulted in tangible damage to affected organisations, with thousands of hard drives being wiping.

However, McAfee Labs senior threat researcher, Ryan Sherstobitoff, said the more compelling aspect of the attack was that it unearthed evidence of a four-year military spying campaign called Operation Troy.

Sherstobitoff said this is the first time for a connection to be established between a series of cyber events.

“All of the information we know about Dark Seoul up until recently was that it was an isolated incident, and associated with DNS attacks and wiping hard drives clean,” he said.

“However, this is the first time we have found something that is illustrating an undocumented, in-the-shadows type of espionage campaign that would typically not be associated with Dark Seoul.”

It was while investigating the cyber attack that McAfee uncovered the true mission of the group, which was military spying.

In fact, Sherstobitoff said Dark Seoul was the tip of the iceberg and merely a by-product of the overall mission.

“Dark Seoul essentially acted as a sub-campaign for a long term campaign that consisted of spying for over four years,” he said.

Caught in the act

Although the espionage took place over several years, Sherstobitoff linkage to Dark Seoul was only established due to the similarity of the DNS attacks.

“Due to the lack of visibility into these espionage samples that were in circulation, nobody connected the dots or found that these particular payloads were actually connected to Dark Seoul,” he said.

Things began to unravel when McAfee started to compare the attributes that it found in the Dark Seoul malware with the other suspicious, unknown malware that could be part of the attack.

“We were then able to confirm that they shared a bunch of code that is unique to this attack, and thus shed a greater picture on what the overall intent was of this adversary,” Sherstobitoff said.

Patrick Budmar covers consumer and enterprise technology breaking news for IDG Communications. Follow Patrick on Twitter at @patrick_budmar.

Join the CSO newsletter!

Error: Please check your email address.

Tags espionage attacksmcafeeDNS

More about IDGIDG CommunicationsIDG CommunicationsIDG CommunicationsMcAfee Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Patrick Budmar

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place