McAfee recently released a detailed analysis on the Operation Troy attack previously known as Dark Seoul. They found that the attacks were actually a conclusion of a covert espionage campaign going back as far as 2009. McAfee labs uncovered a sophisticated spying network targeting South Korea designed to gather intelligence on military networks.
The network uses 128-bit RSA (which is insecure so I guess it’s just to simply obfuscate data) to encrypt communications to the C&C servers over HTTP and IRC.
Key points of last March’s attack timeline:
March 20 attack against banks and news agencies in South Korea:
1. The remote-access Trojan was compiled January 26, 2013.
2. The component to wipe the master boot record (MBR) of numerous systems was compiled January 31.
3. An initial victim within the organization was spear-phished with the remote-access Trojan. This likely occurred before March 20, and possibly weeks prior to the attack.
4. The dropper was compiled March 20, hours before the attack occurred.
5. The dropper was distributed to systems across the victim organizations, and within minutes of execution the MBRs were wiped. This occurred around 2:00 pm Seoul time on March 20.
So we can basically conclude that the “Dark Seoul” attack was the fireworks concluding Operation Troy’s military espionage. I wonder why the people behind this “useful” operation decided to end it?
The full report can be accessed here.