Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Cyber espionage campaign attacks South Korea

Kaspersky Lab UK : 12 September, 2013  (Technical Article)
Companies in the Republic of Korea are under attack from cyber criminals according to research and analysis conducted by Kaspersky Lab
Cyber espionage campaign attacks South Korea

Kaspersky Lab’s security research team has published a report that analyses an active cyber-espionage campaign primarily targeting South Korean think-tanks.

This campaign, named Kimsuky, is limited and highly targeted. According to technical analysis, attackers were interested in targeting eleven organisations based in South Korea and two entities in China including the Sejong Institute, Korea Institute for Defense Analyses (KIDA), South Korea's Ministry of Unification, Hyundai Merchant Marine and the supporters of Korean Unification.

The earliest signs of this threat actor's activity date back to the 3rd April 2013, and the first Kimsuky Trojan samples appeared on the 5th May 2013. This unsophisticated spy program includes several basic coding errors and handles communications to and from infected machines via a Bulgarian web based free e-mail server (mail.bg).

Although the initial delivery mechanism remains unknown, Kaspersky researchers believe the Kimsuky malware is most likely delivered via spear-phishing e-mails and has the ability to perform the following espionage functions: keystroke logging, directory listing collection, remote control access and HWP document theft (related to the South Korean word processing application from the Hancom Office bundle, extensively used by the local government).  The attackers are using a modified version of the TeamViewer remote access application to serve as a backdoor to hijack any files from the infected machines.

The Kimsuky malware contains a dedicated malicious program designed for stealing HWP files, which suggests that these documents are one of main objectives of the group.

Clues found by Kaspersky Lab's experts make it possible to surmise the North Korean origin of the attackers. First of all, profiles of the targets speak for themselves – South Korean universities conducting research on international affairs and producing defense policies for government, a national shipping company, and support groups for Korean unification. Secondly – a compilation path string containing Korean words (for example, some of them could be translated as English commands “attack” and “completion”).

Finally, two email addresses to which bots send reports on status and transmit infected system information via attachments – iop110112@hotmail.com and rsh1213@hotmail.com - are registered with the following ‘kim’ names: “kimsukyang” and “Kim asdfa”.  Even though this registration data does not provide hard data about the attackers, the source IP-addresses of the attackers fit the profile: there are 10 originating IP-addresses, and all of them lie in ranges of the Jilin Province Network and Liaoning Province Network in China. The ISPs providing Internet access in these provinces are also believed to maintain lines into parts of North Korea.

Another interesting “geo-political” feature of Kimsuky malware is that it only disables security tools from AhnLab, a South Korean anti-malware company.

Kaspersky Lab’s products detect and neutralise these threats as Trojan.Win32.Kimsuky, and modified TeamViewer client components are detected as Trojan.Win32.Patched.ps.

Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo