South Korean corporations hit by widespread attack that wiped data and shut down systems

Share this article:

Researchers discovered that attackers used data-wiping malware to cripple critical businesses throughout South Korea, where several banks and news organizations began reporting widespread cyber attacks.

On Wednesday, broadcast companies and banks began reporting a number of technical issues, from downed websites and blocked servers to infections that erased pertinent company files.

According to The New York Times, major banks in South Korea, NongHyup and Jeju, reported malware outbreaks that destroyed computer files. The Times also reported that Shinhan Bank's internet banking servers were temporarily blocked Wednesday.

The computers of KBS and MBC television station employees reportedly froze, as well, in addition to KBS' website becoming inoperable.

Researchers at Symantec said a trojan named “Jokra” was used in attacks where data was destroyed.

According to a Wednesday blog post from Symantec, Jokra is capable of overwriting a computer's master boot record (MBR) and all data stored on it. The trojan also attempts to repeat this data-wiping process on any drives “attached or mapped to the compromised computer.” Later Wednesday, Symantec said further research has turned up a wiper component that erases Linux machines.

Symantec found no evidence that the trojan was related to Shamoon, data-wiping malware that targeted the energy sector in the Middle East last August.

Satnam Narang, a Symantec researcher, told SCMagazine.com that typically attacks that target critical industries are typically motivated by corporate or government espionage. But that's not the case here.

“This is a different scenario, where you aren't having data extracted,” Narang said. “This is destroying data simply for the purpose of destroying it.

In the blog post, Symantec suggested the individuals responsible for the attacks could be state sponsored or  “nationalistic hacktivists taking issues into their own hands.” 

“The real motives of the attack are also unclear but in recent times there has been a ramping up of political tensions in the Korean peninsula,” Symantec said of North and South Korea tensions.

Manchester, N.H.-based Renesys, which provides real-time global internet monitoring, found that both South and North Korean networks experienced disconnections on Wednesday, although it was unclear whether the outages were directly related to the reported cyber attacks.

Renesys found that five networks at Korea Broadcasting System were knocked offline, while the Yonhap News Network experienced similar downtime on two networks, Doug Madory, a senior research engineer at Renesys, said in a blog post. The company also detected network outages at Korea Gas Corp., the world's largest liquefied natural gas importer, and Shinhan Bank.

Between Monday and Tuesday, the firm also noted a rare spike in network disruptions in North Korea.

“On Monday and [Wednesday] morning, we observed outages lasting for just a few minutes in North Korea,” Renesys said. “It should be noted that although North Korea's internet is small, it is very stable. Until last week, North Korean outages had been very rare.”

Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.