New clue in South Korea cyberattack reveals link to Chinese criminals
Cybersleuths picking through the digital bread crumbs left behind in Wednesday's massive South Korea cyberattack have found an interesting morsel: Apparently hackers used an 'exploit tool' made in China to infiltrate the computer networks.
(Page 2 of 2)
If whoever was behind Wednesday’s attacks had access to some of the Gondad exploit kit, they could have gained access to hundreds – or thousands – of compromised South Korean systems and then simply chosen which one they wanted to damage. That would have made it easy to deposit the dangerous DarkSeoul wiper payload, Blasco says.Skip to next paragraph
Subscribe Today to the Monitor
That does not mean, however, that Chinese cyber criminals were behind the attack, even if it may have been facilitated by them, these experts say.
“Gondad comes from China without question,” Blasco says. “The programmers are from China, everything in that program is in Chinese. I think its very likely that the guys behind this used this exploit kit – maybe a hacktivist group that wants to harm the South Korean government or a nation-state group like North Korea.”
Many US experts would not be surprised if North Korea did just that.
“North Korea is really good at black market activities, good at smuggling,” says James Lewis, a cybersecurity expert who has examined North Korea’s cyber activities. “If they wanted to get into a black market for cyber stuff, they would be good at that.”
At this point, there are too many mixed signals to point the finger definitively at North Korea, he says. For example, a digital image of skulls was reported on some machines in the wake of the attack, which suggests hackivists might have been involved. Dr. Lewis remains to be persuaded that North was involved, though he admits it is possible.
“Given all that the North Korean government has said, and its threats, you can’t rule it out that they may have been involved,” he says.
Another recent finding provides interesting context to the claim that Chinese cyber criminal software was involved. On Tuesday, one day before the attacks, a cyberexpert in the Czech Republic posted a blog titled: “Analysis of Chinese attack against Korean banks.”
The author of the blog, Jaromir Horejsi of AVAST, said the hack was detected about two weeks earlier and was quite different from Wednesday’s attack. The purpose was apparently to gather banking login and password information from infected computers – not to wipe out computers. Moreover, the Chinese-written malware appeared to be custom written for that attack, not part of the Gondad exploit kit.
But there are intriguing similarities, including how the payloads were deposited onto victim networks from a server in Japan.
Yet whether North Korea or a hacktivist group – or someone else – is behind Wednesday’s attack, Gondad was likely just one of several software infiltration tools used to get in, plant the malware, and then trigger it at 2 p.m. local time.
“At this point I’m calling it a theory on how someone, maybe North Korea, might have used Gondad botnet and other exploit kits to get into these companies networks,” Blasco says. “But the only theory really is how you combine all the companies with the infrastructure of the different exploit kits. It’s really no theory at all that Gondad is involved. There’s plenty of evidence for that.”