Operation Troy (Dark Seoul): Previous Cyber Attacks and Response

Posted: August 13, 2013 in Computer Security, Cyber Security, Korea
Tags: , , , , , , ,

In this post I compare previous major cyber attacks prior to Operation Troy and present my thoughts on the responsiveness of the authorities.

Stuxnet

Stuxnet was discovered in July 2010, but the earliest known variant is confirmed to have existed since 2007 [11]. Stuxnet caught many security researchers and professionals by surprise, being the first advanced malware of its kind. According to Symantec’s report [12], Stuxnet is a complex threat that was primarily written to target an industrial control system (ICS) or set of similar systems. A vast array of components was implemented in the malware including four Zero-Day exploits, a windows rootkit, antivirus evasion techniques, complex process injection and hooking code, network infection routines, peer-to-peer updates, a command and control interface, as well as the first ever PLC rootkit. Stuxnet’s main payload has the main purpose of modifying code on Siemens industrial PLCs in order to sabotage the system. It is widely believed that Iran’s Natanz nuclear Fuel Enrichment Plant (FEP) was the intended target. Hosts in five domains of organizations based in Iran were heavily infected over 3 attack waves. The deliberate containment of the malware to targets in Iran is also apparent from the number of hosts infected worldwide, which reached only around 100,000 with approximately 60% being in Iran. This attack has been claimed to setback Iran’s nuclear program by several years as 1,000 out of 9,000 centrifuges were disabled and had to be replaced [13]. The initial attack point is likely to be via a USB infection.

10 days of Rain

On March 4, 2011, exactly 20 months after a similar incident during the U.S. Independence Day celebrations of 2009, a botnet based in South Korea launched DDoS attacks against 40 websites affiliated with South Korean government, military, and civilian critical infrastructure as well as U.S. forces based in Korea [14]. The botnet was dynamically updated via new malware binaries, launched a DDoS non-stop for more than a week, and then wiped the harddisks with zeroes, overwriting the MBR making the machines unusable. This attack used malware with a much higher level of sophistication than is necessary to launch a trivial DDoS attack. Encryption of code and configurations using algorithms such as AES, RSA, and RC4 enabled them to evade detection and prolong analysis. A multitier botnet architecture included 40 C&C servers distributed across the globe including servers in the USA, Taiwan, Saudi Arabia, Russia, and India. Highlighting the overkill in this attack, McAfee went so far as to call it “analogous to bringing a Lamborghini to a go-cart race” [15]. Considering the limited timeframe scope and target list, McAfee suggested the motivation of the attack was a cyber war exercise to test the preparedness of South Korea’s cyber defense capabilities and to better understand the technical requirements for a successful campaign.

SK Communications – CyWorld

In July 2011 SK Communications became the victim of an attack that resulted in the loss of the personal details of 35 million users [16]. The users of CyWorld and Nate, services owned by SK Communications, were affected by this attack. Judging from the sophistication of the attack and the time needed for planning it, researchers concluded that the attack was likely to be carried out by an Advanced Persistent Threat. Between July, 18 and 25, more than 60 computers were infected then used to gain access to the user databases. The launch point was a South Korean software company’s update server, normally used to deliver software updates to customers [17]. The attackers compromised the server and created a trojan that would be downloaded to user computers during a routine update. Poor change management policy resulted in the full trust of software updates, allowing attackers to fully exploit this weakpoint. During this time attackers used C&C servers to monitor the activities on the infected machines and uploaded tools on a previously compromised legitimate Taiwanese website. An elaborate infrastructure of waypoints and C&C servers was created to make tracing the sources of their activities difficult. In-depth investigation of the attack reveal that preparation went back as early as 2007 before finally culminating in the compromise of the user databases between July 26-28, 2011.

Readiness & response
Victims

Out of the several banks that were targeted, Woori Bank was the only one reported to successfully defend against the threat. The fact that the attacks could have been prevented by simply keeping Windows DEP mode on, using an updated antivirus, and avoiding opening suspicious emails, shows a lack of end-point security, email filtering policy, and user awareness training. Looking at how simple it could have been to prevent infection suggests that computer security policy is not properly addressed by the top management of the organizations affected.

Government

Investigators took three weeks to report the origins of the attack with certainty [18]. The investigation team reported that machines were infected for at least eight months before D-Day. More importantly, according to KISA 18 of the 76 samples of malware were found to be identical to strains used by North Korean hackers in previous attacks. In addition 49 infiltration routes were detected with 22 IP addresses reused since the 2009 attacks. The ability to identify these facts is essential to a proper response to incidents such as this one, however these facts also beg the question as to what remediation strategy was implemented since 2009 so as to allow so many identical components to successfully infiltrate networks and cause so much damage. Furthermore statements given in briefings by investigators suggested their helpless inability to defend against the threat due to its high level of sophistication. These statements contradict the findings of experts in the computer security industry.

Industry

In the days directly after the attack, the authors found both domestic and foreign computer security companies providing the most detailed sources of information. AhnLab ASEC, and NHSC’s Red Alert team [19], and Symantec issued similar malware analysis reports of the wiper payload. Trend Micro’s Deep Discovery system detected the malicious downloaders in the attachments of emails [20], thus making known the initial infection point. Avast’s analysis of the websites used as launch platforms also revealed the second step of the primary attack vector. All of the reports suggested that the attack was low in sophistication, directly contradicting statements from the government led investigation team. However, these reports were fragmented and did not paint a full picture of what happened from beginning till the end. As a result, although the conclusions in each report were not incorrect, they were incomplete in connecting all the dots, thus creating a false sense of security in the cases where the researchers openly stated that the attack was not conducted by an APT.

Media

The authors believe that the media can play a vital role in increasing public awareness of cyber threats by providing accurate and informative reporting to the public. However the way the attack was portrayed as cyber terror downplayed the serious deficiencies in the security policies and technologies used by the victims and the authorities responsible for national cyber defense. In the end the public did not have an accurate idea of what happened, the risks to their personal or financial safety, or what they needed to do during and after the attack. The media only functioned to relay statements from government or industry, with almost no critical analysis of the information or of the overall state of Korea’s cyber security. All of this information and critique is vital for empowering individuals to understand the risks so they can contribute towards stronger national resilience against cyber attacks.

References:

[11] G. McDonald,  L.O. Murchu, S. Doherty, and E. Chien, “Stuxnet 0.5: The Missing Link,” Symantec Security Response [online] 26 February 2013, Available: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/stuxnet_0_5_the_missing_link.pdf
[12] N. Falliere, L. O. Murchu, and E. Chien, “W32.stuxnet dossier,” Symantec, Symantec Security Response [online] February 2011. [online]. Available: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
[13] Albright, D., Brannan P., Walrond, C. “Did Stuxnet Take Out 1,000 Centrifuges at the Natanz Enrichment Plant?” Institute for Science and International Security [online] 22 December 2010, Available: http://isis-online.org/isis-reports/detail/did-stuxnet-take-out-1000-centrifuges-at-the-natanz-enrichment-plant/ (Accessed: 18 April 2013)
[14] “10 Days of Rain in Korea,” McAfee Blog Central [online] 5 July 2011, Available: http://blogs.mcafee.com/mcafee-labs/10-days-of-rain-in-korea (Accessed: 18 April 2013)
[15] “Ten Days of Rain Whitepaper,” McAfee, 5 July 2011
[16] “SK Hack by an Advanced Persistent Threat,” Command Five [online] September 2011, Available: http://www.commandfive.com/papers/C5_APT_SKHack.pdf (Accessed: 18 April 2013)
[17] Moon-young Lee, “Personal information hack traced to Chinese IP address” The Hankyoreh [online] 12 August 2011, Available: http://www.hani.co.kr/arti/english_edition/e_national/491514.html (Accessed: 18 April 2013)
[18] “South Korea Probe Blames North for Cyber Attack” VOA News [online] 10 April 2013, Available: http://www.voanews.com/articleprintview/1638361.html (Accessed: 18 April 2013)
[19] “Red Alert Research Report: 3.20 South Korea Cyber Attack Version 1.6”, Safe² RedAlert Data Sharing [online] 22 April 2013, Available: http://training.nshc.net/KOR/Document/virus/20130321_320CyberTerrorIncidentResponseReportbyRedAlert%28EN%29.pdf (Accessed: 18 April 2013)
[20] “How Deep Discovery Protected Against The Korean Cyber Attack,” TrendLabs Security Intelligence Blog [online] 21 March 2013, Available: http://blog.trendmicro.com/trendlabs-security-intelligence/how-deep-discovery-protected-against-the-korean-mbr-wiper/ (Accessed: 18 April 2013)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s