Threat Intelligence, Incident Response, Malware, TDR, Vulnerability Management

McAfee finds patterns in years-long espionage campaign seeking South Korean military secrets

A massive March attack that shut down South Korean computer systems may only have been the tip of the iceberg in what McAfee researchers are saying is part of a bigger, years-long covert effort to extract military secrets.

A sophisticated spying network targeting South Korean military secrets has been in operation since 2009, according to a new study published by McAfee Labs researchers Ryan Sherstobitoff, Itai Liba and James Walter.

The study noted that malware identified in South Korean military networks has been designed to scan and categorize documents with a variety of keywords, including "U.S. Army," "Joint Chiefs of Staff," evidence that the attackers were interested in any South Korean communication with the American military.

Rather than automatically blasting out pertinent information to the criminals, the reconnaissance malware does a good job of staying under the radar by only alerting the attacker that a keyword has been found. The perpetrator can then pick and choose information as they please.

The study draws connections between several cyber attacks on South Korea since 2009, including the incident in March that has been named "Dark Seoul," most notably by identifying malware and hacker code operating throughout the past five years.

“The operation, all based on the same code, has attempted to infiltrate specific South Korean targets,” according to the study. “The prime suspect group in these attacks is the New Romanic Cyber Army Team, which makes frequent use of Roman and classical terms in their code.”

Not much information is known about the New Romanic Cyber Army, including where they are based, but the attacks occurring over nearly five years have been dubbed Operation Troy because the term "Troy" appears frequently throughout the hacker code.

“All of this was thought of as solitary other than collective,” Brian Kenyon, VP and CTO of Security Connected at McAfee, told “This is a great example of how we need to find out how attacks are dependent on each other. I don't think we knew to look at those types of things before. We never thought of a campaign as prolific as this.”

Kenyon said that attributing the attack to a person or a hacker group is a misstep, explaining that instead these new types of behaviors have to be acknowledged, understood and defended against.

According to the study, it's possible that a phishing campaign within a South Korean military social networking site led to the initial infiltration and laid the groundwork that eventually led to the Dark Seoul incident.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.