A researcher who has studied the malicious software used in the attacks on media outlets and banks in South Korea this week said the attacks were coordinated, but messy and loud, without many of the hallmarks of a state sponsored hacking operation.
Richard Henderson, a Security Strategist at Fortilabs at Fortinet Inc. said that the malware used in the attack was programmed to begin operating at 2:00pm local time, suggesting that those behind it had planned their operation for weeks or months before launching it. Still, Henderson said many details of the attack make it dissimilar from so-called “advanced persistent threat” or APT-style hacks that are carried out by foreign governments or groups working on their behalf.
Henderson said that Fortinet analysts first obtained a copy of the malware on March 19, a day before the attacks. Researchers there had already identified the “time bomb” hidden in the code, which was programmed to launch at 2:00pm Korea Standard Time. The targets were all South Korean, while the use of a coordinated launch time suggests those behind the attack were acting deliberately. “It’s entirely possible that people behind this had planned this for a long time,” Henderson said.
However, in many other respects, the attack was simple and unsophisticated. Victims were attacked with infected e-mail attachments, while the malware was designed to wipe the hard drive wipe and any network drives connected to the target system. A separate Linux wiper program was being used to find Linux-based file shares on local subnets and shared drives and erase those.
Many components of the attack were commercially available on the cyber underground, including malware and command and control servers associated with the Gondad exploit kit, and common Chinese attack tool.
The intent of attack to make as much impact an noise as possible, he said. not to penetrate the network and steal as much data as possible. “This was intended to be messy and noisy. To create a big media impact and political impact,” he said.
“In my opinion, this was not state sponsored. It didn’t have the finesse and the damage that was indicative of an attacker who was not a state sponsored group,” he said. “This was someone trying to make a name and cause mischief, or stir the pot.”
In the end, it was what Henderson called the “human element” that did the victims in, not the sophistication of the attack. Users clicked on suspicious attachments or links that allowed malicious programs access to their system. “Its true time and again – no matter how often we talk about it, people still fall for it,” he said.