McAfee uncovers spying campaign behind Dark Seoul attack

Security vendor finds recent cyber attack was connected to a larger spying initiative

South Korea may have been hit by a major cyber attack on March 20, but the incident actually hid something more sinister, according to McAfee Labs.

Dubbed Dark Seoul, this online attack resulted in tangible damage to affected organisations, with thousands of hard drives being wiping.

However, McAfee Labs senior threat researcher, Ryan Sherstobitoff, said the more compelling aspect of the attack was that it unearthed evidence of a four-year military spying campaign called Operation Troy.

Sherstobitoff said this is the first time for a connection to be established between a series of cyber events.

“All of the information we know about Dark Seoul up until recently was that it was an isolated incident, and associated with DNS attacks and wiping hard drives clean,” he said.

“However, this is the first time we have found something that is illustrating an undocumented, in-the-shadows type of espionage campaign that would typically not be associated with Dark Seoul.”

It was while investigating the cyber attack that McAfee uncovered the true mission of the group, which was military spying.

In fact, Sherstobitoff said Dark Seoul was the tip of the iceberg and merely a by-product of the overall mission.

“Dark Seoul essentially acted as a sub-campaign for a long term campaign that consisted of spying for over four years,” he said.

Caught in the act

Although the espionage took place over several years, Sherstobitoff linkage to Dark Seoul was only established due to the similarity of the DNS attacks.

“Due to the lack of visibility into these espionage samples that were in circulation, nobody connected the dots or found that these particular payloads were actually connected to Dark Seoul,” he said.

Things began to unravel when McAfee started to compare the attributes that it found in the Dark Seoul malware with the other suspicious, unknown malware that could be part of the attack.

“We were then able to confirm that they shared a bunch of code that is unique to this attack, and thus shed a greater picture on what the overall intent was of this adversary,” Sherstobitoff said.

Patrick Budmar covers consumer and enterprise technology breaking news for IDG Communications. Follow Patrick on Twitter at @patrick_budmar.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags DNSmcafeeespionage attacks

More about IDGIDG CommunicationsIDG CommunicationsIDG CommunicationsMcAfee Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Brand Page

Stories by Patrick Budmar

Latest Videos

More videos

Blog Posts