South Korean corporations hit by widespread attack that wiped data and shut down systems

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.scmagazine.com/south-korean-corporations-hit-by-widespread-attack-that-wiped-data-and-shut-down-systems/article/285315/

Researchers discovered that attackers used data-wiping malware to
cripple critical businesses throughout South Korea, where several
banks and news organizations began reporting widespread cyber attacks.

On Wednesday, broadcast companies and banks began reporting a number
of technical issues, from downed websites and blocked servers to
infections that erased pertinent company files.

According to The New York Times, major banks in South Korea, NongHyup
and Jeju, reported malware outbreaks that destroyed computer files.
The Times also reported that Shinhan Bank's internet banking servers
were temporarily blocked Wednesday.

The computers of KBS and MBC television station employees reportedly
froze, as well, in addition to KBS' website becoming inoperable.

Researchers at Symantec said a trojan named “Jokra” was used in
attacks where data was destroyed.

According to a Wednesday blog post from Symantec, Jokra is capable of
overwriting a computer's master boot record (MBR) and all data stored
on it. The trojan also attempts to repeat this data-wiping process on
any drives “attached or mapped to the compromised computer.” Later
Wednesday, Symantec said further research has turned up a wiper
component that erases Linux machines.

Symantec found no evidence that the trojan was related to Shamoon,
data-wiping malware that targeted the energy sector in the Middle East
last August.

Satnam Narang, a Symantec researcher, told SCMagazine.com that
typically attacks that target critical industries are typically
motivated by corporate or government espionage. But that's not the
case here.

“This is a different scenario, where you aren't having data
extracted,” Narang said. “This is destroying data simply for the
purpose of destroying it.

In the blog post, Symantec suggested the individuals responsible for
the attacks could be state sponsored or  “nationalistic hacktivists
taking issues into their own hands.”

“The real motives of the attack are also unclear but in recent times
there has been a ramping up of political tensions in the Korean
peninsula,” Symantec said of North and South Korea tensions.

Manchester, N.H.-based Renesys, which provides real-time global
internet monitoring, found that both South and North Korean networks
experienced disconnections on Wednesday, although it was unclear
whether the outages were directly related to the reported cyber
attacks.

Renesys found that five networks at Korea Broadcasting System were
knocked offline, while the Yonhap News Network experienced similar
downtime on two networks, Doug Madory, a senior research engineer at
Renesys, said in a blog post. The company also detected network
outages at Korea Gas Corp., the world's largest liquefied natural gas
importer, and Shinhan Bank.

Between Monday and Tuesday, the firm also noted a rare spike in
network disruptions in North Korea.

“On Monday and [Wednesday] morning, we observed outages lasting for
just a few minutes in North Korea,” Renesys said. “It should be noted
that although North Korea's internet is small, it is very stable.
Until last week, North Korean outages had been very rare.”
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.