McAfee reported uncovering evidence suggesting the group is involved in a larger hacking campaign that has been active since at least 2009, in its Dissecting Operation Troy: Cyber espionage in South Korea threat report.
"McAfee Labs has uncovered a sophisticated military spying network targeting South Korea that has been in operation since 2009," read the report.
"Our analysis shows this network is connected to the DarkSeoul incident. Furthermore, we have also determined that a single group has been behind a series of threats targeting South Korea since October 2009."
The firm cited similarities between the DarkSeoul attacks and malware used by a second team, operating under the New Romanic Cyber Army Team alias as proof of its claim. "The operation, all based on the same code, has attempted to infiltrate specific South Korean targets. We call this Operation Troy, based on the frequent use of the word Troy in the compile path strings in the malware. The prime suspect group in these attacks is the New Romanic Cyber Army Team, which makes frequent use of Roman and classical terms in their code," read the report.
The firm said the evidence suggests the public DarkSeoul attacks on broadcasters and banks, were likely smokescreens for the wider more dangerous espionage scheme targeting South Korea.
"McAfee Labs has found that there was more to the incident than what was widely reported. Our analysis has revealed a covert espionage campaign," read the report.
"McAfee Labs has determined that domestic espionage activities occurred before the March 20 attacks, most likely to gain intelligence regarding the targets to carry out further attacks (such as the March 20 incident) or to benefit the attackers in some other ways. This spying operation had remained hidden and only now has been discovered through diligent research and collaboration."
The hackers behind the operation are also believed to have had access to South Korean systems before mounting the attack.
"We also suspect the attackers had knowledge of the security software running within the environment before they wiped the systems, given that some of the variants used in the attack were made to look as if they were antimalware update files from before March 20. The attackers who conducted the operation remained hidden for a number of years prior to the March 20 incident by using a variety of custom tools," read the report.
Prior to McAfee's report, numerous security companies and law enforcement agencies have suggested the DarkSoul attacks were state sponsored. McAfee said its research could neither prove nor disprove this theory, but added that the hackers behaviour was consistent with that of attackers operating under the Anonymous hacktivist collective's banner.
"State sponsored or not, these attacks were crippling nonetheless. The overall tactics were not that sophisticated in comparison to what we have seen before," read the report.
"The main group behind the attack claims that a vast amount of personal information has been stolen. This type of tactic is consistent with Anonymous operations and others that fall within the hacktivist category, in which they announce and leak portions of confidential information."
The attacks listed is the report were originally believed to have started earlier this year, when hackers operating under the DarkSeoul alias claimed responsibility for a wave of attacks on several of the nation's banks and broadcasters.
The attackers returned later this year on the anniversary of the Korean War. The attacks have seen hackers target numerous South Korean government agencies with denial of service attacks. The DarkSeoul hackers are also believed to be responsible for a data breach allegedly revealing the names and personal details of 40,000 active US servicemen.
No comments:
Post a Comment