Anatomy of a cunning APT: the SK Communications breach

How hackers turned a patch server into an attack vector.

The hackers that breached South Korean SK Communications in July, gaining access to 35 million Nate and CyWorld social network users, executed a cunning attack that relied on compromised infrastructure spanning several countries.

Unlike the attack on RSA, which fooled staff with a socially engineered email containing an Excel attachment, SK Communications’ attackers targeted its third party software provider before moving up the chain to more valuable resources, according to a detailed analysis by Australian IT firm Command Five. 

The attackers, believed to have conducted their attack from Chinese IP addresses, had compromised SK Communication’s update server as its reached out to its supplier for a routine check up, according to the analysis, effectively turning the company’s security procedures into a vulnerability.

An analysis of the malware “nateon.exe” which launched the remote access tool (RAT) that was used to actually acquire the personal details of 35 million Nate and CyWorld users, had been compiled from source code over 6 months prior to its use on SK Communications.

“The RAT can not only access and query databases but can also enumerate the networks to which the infected computer is connected, set up network connections, modify the registry, lock the workstation's screen, control processes and services running on the computer, download files, create files, take screenshots and shutdown, reboot or log out of the computer,” according to Command Five.

Before this tool was used however, the attackers had first gained access to the update server of one of SK Communication’s software suppliers, South Korean software and security company ESTsoft, which makes a file compression product ALZip that is part of its ALTools suite, including its ALYac antivirus software.

While the security of ALYac itself was not compromised, the breach of its systems meant that when SK Communications servers did its check for ALTools updates, it was redirected to the attackers Content Delivery Network and delivered a trojan instead of picking up ESTsoft’s patches.

The trojan exploited a flaw in ALTools Common Module Update application, according to Command Five.

In total 60 SK Communications computers were compromised via the trojanised update, which then dropped a backdoor ‘Backdoor.Agent.Hza’  on to the computers, giving the attackers access to SK Communication’s network.

During a seven day period between 18 July and 25 July the attackers gathered additional database credentials, using a toolbox that had been located on the web server of a presumably hacked Taiwanese publisher, Cite Media. 

Key lessons drawn from the analysis were that attackers may use targets as, such as ESTsoft as a launchpad, or as a diversionary “waypoint” as in the case of Cite Media, to deflect attention away from the attackers own infrastructure. 

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags hackersmalwarersaShady RATSouth Korean SK Communications

More about APTetworkExcelRSASK

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

More videos

Blog Posts