New clue in South Korea cyberattack reveals link to Chinese criminals
Cybersleuths picking through the digital bread crumbs left behind in Wednesday's massive South Korea cyberattack have found an interesting morsel: Apparently hackers used an 'exploit tool' made in China to infiltrate the computer networks.
The source of the cyberattack that damaged 32,000 computers at several banks and television stations in South Korea Wednesday remains unclear, but the digital traces left behind have led one cybersleuth to suggest that it has clear links to Chinese cybercrime organizations.Skip to next paragraph
Subscribe Today to the Monitor
Though South Korean investigators initially said they had traced the attack to an Internet address in China, they have since stepped back from that statement. Yet cybersecurity experts looking at file names, Internet domain names, and other digital detritus left behind by the attackers – which has been published on Korean technical blogs – are coming to their own conclusions.
The information posted online has led Jaime Blasco, a cybersecurity researcher in San Mateo, Calif., to suggest that the attackers gained access to the computers though a so-called “exploit kit” apparently designed by cybercriminals in China and often used to target South Korea.
The finding doesn’t implicate the Chinese government – or exonerate it. Nor does it provide any clarity on whether North Korea was involved – though some experts say the exploit kit is just the sort of cybercrime tool that North Korea might be inclined to purchase on the black market.
What Mr. Blasco’s investigation clarifies is how the damage was done – providing clues that could help crack the mystery of who was responsible.
“What we see are traces that the attackers used for their intrusion into the banks and other companies a criminal exploit kit written in China,” says Blasco, a researcher with AlienVault. “It would be easy for whoever did this attack to rent or purchase this exploit tool and then use it to get into the banks to leave behind the wiper malware.”
Researchers with Sophos, a cybersecurity company in Britain, on Wednesday identified the malware that did the damage: a destructive “wiper” program dubbed “DarkSeoul” that overwrites critical parts of the computer. Its origin has not been identified although the attack on its face bore a striking similarity to the wiper program used in an August 2012 attack on the oil firm Saudi Aramco.
What was not known was how did the attackers first infiltrated the banks’ networks, created digital backdoors, and then moved around those networks to deliver DarkSeoul.
So Blasco took the file names identified on the Korean technical blogs and then began painstakingly comparing them to a large database of known malware. What he discovered were numerous detailed matches with a single piece of Chinese malware called the Gondad exploit kit. The kit infects personal computers with a trojan program that opens a digital backdoor and hands over control of the infected computer to an attacker.
From that point, the computer becomes a “bot” or “zombie” that can be accessed and controlled by anyone who rented or purchased Gondad. The Gondad botnet has enslaved 400,000 computers in 89 countries, making it the 65th largest botnet in the world, according to AVG Technologies, an antivirus company based in Brno, Czech Republic. What’s notable is that 73 percent of all of Gondad victims worldwide reside in South Korea.