Symantec researchers said initial analysis of the attacks and malwares used proved the DarkSeoul hackers were involved in the recent attacks on South Korea. "While multiple attacks were conducted by multiple perpetrators, one of the distributed denial-of-service (DDoS) attacks observed yesterday against South Korean government websites can be directly linked to the DarkSeoul gang and Trojan.Castov," Symantec's said.
The firm said the research also linked the team to several attacks on both South Korea and the US government. "We can now attribute multiple previous high-profile attacks to the DarkSeoul gang over the last four years against South Korea, in addition to yesterday's attack," it noted. "They previously conducted DDoS and wiping attacks on the US Independence Day as well."
The group's involvement in attacks on the US is expected to have political consequences, with many security researchers believing DarkSeoul is working for the North Korean government. If true, this is troubling as in the past the US government has indicated it would react to cyber attacks on its networks the same way it would real world acts of war. At the time of publishing, the US Department of Defense and White House had not responded to V3's request for comment on Symantec's research.
Symantec confirmed while there is some evidence to suggest the DarkSeoul group is state sponsored, it is still too early to definitively know if the group is operating at the behest of the North Korean government.
"The attacks conducted by the DarkSeoul gang have required intelligence and coordination, and in some cases have demonstrated technical sophistication. While nation-state attribution is difficult, South Korean media reports have pointed to an investigation which concluded the attackers were working on behalf of North Korea," wrote Symantec.
Symantec researchers said even if DarkSeoul is not working for North Korea, the group is in possession of several sophisticated attack tools and resources. The security firm warned businesses to expect and prepare for further attacks from the group.
"Symantec expects the DarkSeoul attacks to continue and, regardless of whether the gang is working on behalf of North Korea or not, the attacks are both politically motivated and have the necessary financial support to continue acts of cyber sabotage on organisations in South Korea," the firm said.
"Cyber sabotage attacks on a national scale have been rare - Stuxnet and Shamoon (W32.Disttrack) are the other two main examples. However, the DarkSeoul gang is almost unique in its ability to carry out such high-profile and damaging attacks over several years."
Hacks in Korea have started since the anniversary of the war between the two nations, with details on 40,000 troops leaked earlier this week.