Operation Troy (was Dark Seoul) analyzed by McAfee

Posted: July 10, 2013 in Computer Security, Cyber Security, Malware
Tags: , , ,

McAfee recently released a detailed analysis on the Operation Troy attack previously known as Dark Seoul. They found that the attacks were actually a conclusion of a covert espionage campaign going back as far as 2009. McAfee labs uncovered a sophisticated spying network targeting South Korea designed to gather intelligence on military networks.

The network uses 128-bit RSA (which is insecure so I guess it’s just to simply obfuscate data) to encrypt communications to the C&C servers over HTTP and IRC.

Key points of last March’s attack timeline:

March 20 attack against banks and news agencies in South Korea:
1. The remote-access Trojan was compiled January 26, 2013.
2. The component to wipe the master boot record (MBR) of numerous systems was compiled January 31.
3. An initial victim within the organization was spear-phished with the remote-access Trojan. This likely occurred before March 20, and possibly weeks prior to the attack.
4. The dropper was compiled March 20, hours before the attack occurred.
5. The dropper was distributed to systems across the victim organizations, and within minutes of execution the MBRs were wiped. This occurred around 2:00 pm Seoul time on March 20.

So we can basically conclude that the “Dark Seoul” attack was the fireworks concluding Operation Troy’s military espionage. I wonder why the people behind this “useful” operation decided to end it?

The full report can be accessed here.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s