South Korean corporations hit by widespread attack that wiped data and shut down systems

Share this article:

Researchers discovered that attackers used data-wiping malware to cripple critical businesses throughout South Korea, where several banks and news organizations began reporting widespread cyber attacks.

On Wednesday, broadcast companies and banks began reporting a number of technical issues, from downed websites and blocked servers to infections that erased pertinent company files.

According to The New York Times, major banks in South Korea, NongHyup and Jeju, reported malware outbreaks that destroyed computer files. The Times also reported that Shinhan Bank's internet banking servers were temporarily blocked Wednesday.

The computers of KBS and MBC television station employees reportedly froze, as well, in addition to KBS' website becoming inoperable.

Researchers at Symantec said a trojan named “Jokra” was used in attacks where data was destroyed.

According to a Wednesday blog post from Symantec, Jokra is capable of overwriting a computer's master boot record (MBR) and all data stored on it. The trojan also attempts to repeat this data-wiping process on any drives “attached or mapped to the compromised computer.” Later Wednesday, Symantec said further research has turned up a wiper component that erases Linux machines.

Symantec found no evidence that the trojan was related to Shamoon, data-wiping malware that targeted the energy sector in the Middle East last August.

Satnam Narang, a Symantec researcher, told that typically attacks that target critical industries are typically motivated by corporate or government espionage. But that's not the case here.

“This is a different scenario, where you aren't having data extracted,” Narang said. “This is destroying data simply for the purpose of destroying it.

In the blog post, Symantec suggested the individuals responsible for the attacks could be state sponsored or  “nationalistic hacktivists taking issues into their own hands.” 

“The real motives of the attack are also unclear but in recent times there has been a ramping up of political tensions in the Korean peninsula,” Symantec said of North and South Korea tensions.

Manchester, N.H.-based Renesys, which provides real-time global internet monitoring, found that both South and North Korean networks experienced disconnections on Wednesday, although it was unclear whether the outages were directly related to the reported cyber attacks.

Renesys found that five networks at Korea Broadcasting System were knocked offline, while the Yonhap News Network experienced similar downtime on two networks, Doug Madory, a senior research engineer at Renesys, said in a blog post. The company also detected network outages at Korea Gas Corp., the world's largest liquefied natural gas importer, and Shinhan Bank.

Between Monday and Tuesday, the firm also noted a rare spike in network disruptions in North Korea.

“On Monday and [Wednesday] morning, we observed outages lasting for just a few minutes in North Korea,” Renesys said. “It should be noted that although North Korea's internet is small, it is very stable. Until last week, North Korean outages had been very rare.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Researchers observe more than a hundred connections to 'Backoff' sinkhole

Researchers with Kaspersky Lab were able to sinkhole two command-and-control servers used by certain Backoff point-of-sale malware samples.

Judge lifts stay but Microsoft won't hand over emails during appeal

A judge has lifted a suspension of a previous order compelling Microsoft to hand over customer emails stored on a server in Ireland.

Home Depot investigates possible payment card breach

Home Depot investigates possible payment card breach

Home Depot said on Tuesday that it is working with its banking partners and law enforcement to investigate a possible data breach.