The cyberattack that hit South Korea’s key broadcasters and banks last March wasn't just a one-off by some random hackers. It turns out the attack, which paralyzed operations and erased data from tens of thousands of computers, was part of a sophisticated espionage campaign discovered by cybersecurity firm McAfee Labs. The identities of those behind the attack and the extent of information stolen remain unknown, McAfee said in its research report published Monday.
The hackers, who used malware to effectively shut down South Korean computer networks on March 20, also launched a malicious code to extract classified information, including data related to U.S. forces in South Korea and military exercises carried out jointly by American and South Korean troops, Associated Press reported, citing researchers at Santa Clara, Calif.-based McAfee Labs who analyzed code samples provided by U.S. government partners and private entities.
“McAfee Labs has uncovered a sophisticated military spying network targeting South Korea that has been in operation since 2009,” the report said. "Furthermore, we have also determined that a single group has been behind a series of threats targeting South Korea since October 2009.”
“In this case the adversary had designed a sophisticated encrypted network designed to gather intelligence on military networks. We have confirmed cases of Trojans operating through these networks in 2009, 2010, 2011 and 2013. Everything extracted from these military networks would be transmitted over this encrypted network once the malware identified interesting information,” the report said.
Malware used in the March attack to erase data is different from the one used to spy on classified information, but researchers believe both codes could have originated from the same source, since the codes share several characteristics.
“Who conducted these attacks is still unclear, but our research gives some further insight into the likely source. The clues left behind confirm that the two groups claiming responsibility were a fabrication to throw investigators off the trail and mask the true source,” the report said.
An initial investigation by South Korea authorities found that the March attack originated from an Internet address located in China, deepening suspicions that North Korea could have been behind it, as South Korean intelligence officials believe North Korean hackers routinely use Chinese IP addresses to hide their identities.
On April 10, Seoul said North Korea was found responsible for the attack.
The cyber espionage campaign, which McAfee calls “Operation Troy” due to several references to the ancient city in the malware’s code, goes back to 2009, when the malware was used by attackers to infect a social media website used by South Korean military personnel.