
South Korea Probe Says North Behind Cyber Attack: Report - techinsidr
http://www.securityweek.com/south-korea-probe-says-north-behind-cyber-attack-report
======
kyllo
Is there an article anywhere that clearly explains the actual attack vector?

 _The bash script ultimately used by the malware is a wiper designed to work
with any Linux distribution, with specific commands for SunOS, AIX, HP-UX
distributions, Symantec said. As such, it wipes out the /kernel, /usr, /etc,
and /home directories._

That wouldn't take a particularly sophisticated bash script.

But as far as how the payload was actually delivered to the infected machines,
there doesn't seem to be a consensus.

This article portrays it as a RAT/botnet style attack via "a central computer
providing antivirus protection," which suggests that they may have gained
privileged access to an antivirus company's update server and pushed the code
out to clients via the antivirus software itself.

[http://www.guardian.co.uk/technology/2013/mar/22/south-
korea...](http://www.guardian.co.uk/technology/2013/mar/22/south-korea-cyber-
attack)

Meanwhile, this article attributes it to an executable e-mail attachment with
a misleading filename, basically a phishing attack:

[http://www.infosecurity-magazine.com/view/31475/south-
korea-...](http://www.infosecurity-magazine.com/view/31475/south-korea-cyber-
attacks-likely-sparked-by-phishing-emails/)

Some articles described the South Korean government as concluding that the
attack came from China, and then later articles say that they backtracked on
this and decided it actually came from North Korea. I think this part is
heavily politicized, and it's entirely possible that it did come from China
but the South Korean government found it more politically expedient to blame
it on North Korea instead.

~~~
kijin
My current understanding is that the malware was delivered as part of an
update to some commonly used ActiveX controls. The initial infiltration took
place 8 months ago, but the malware was designed to go live at a specific time
[1]. Over 70 different pieces of malware were used to infiltrate a wide range
of targets. The bash script was apparently used on non-Windows targets, of
which there were only a few.

EDIT: The single most effective attack vector seems to have been the update
server for an ActiveX control called XecureWeb, which is used by several banks
and their 20 million customers [4]. Just checked and I have XecureWeb too, in
a VM that I only use for online banking. Good thing I have that VM turned off
99% of the time.

According to SK news media, the primary reason the SK government suspects NK
of the latest attack is because the attackers used some of the same malware,
same proxy servers, and same techniques that were used in previous attacks,
which the SK government also attributes to NK [2]. But AFAIK there is no
indisputable evidence that links those previous attacks to NK, either. So
there's a bit of circular reasoning involved in the accusation.

The initial accusation of a Chinese attack was based on a Chinese IP address
(101.106.25.105) that was used by the attackers. This accusation was rescinded
when it was found that one of the banks that were hacked have been using the
same IP range in its internal network </facepalm> [3]. But even if this wasn't
the case, the case for a Chinese attack would be weak because anyone can use a
Chinese open proxy.

There was also mention of an North Korean IP address (175.45.178.x) being used
for command & control [2], but I don't know how that works because SK ISPs are
extremely unlikely to permit any traffic to or from NK IP addresses. Remember,
this is a country that censors virtually every NK-operated website.

All in all, little direct evidence that links the attacks to NK has been
released. Maybe such evidence exists but is classified. Maybe it doesn't exist
in the first place. However, since the series of attacks over the last few
years targeted SK's major financial, governmental, and media infrastructure,
it is not too unreasonable to suspect that the attackers (or whoever hired
them) have an axe to grind with SK as a whole, not with any particular
corporation. Given the extremely polarized political landscape, it is also not
unreasonable to suspect that someone who has a problem with SK might
sympathize with NK.

What doesn't get mentioned amid all the finger-pointing and political rhetoric
is that SK's internet infrastructure desperately needs a major overhaul. The
so-called "security" companies, who sell ActiveX controls with various alleged
benefits, have been in charge of IT policy for over a decade. This has led to
an online landscape where it is considered normal for any random website to
ask the user to restart IE as administrator and install 5 ActiveX controls
just to be able to log in.

This is a completely separate problem from antiviruses. I'm not joking when I
tell you that every bank requires you to install an ActiveX control that
claims to detect and disable keyloggers. That's 1000x more evil than Norton
Antivirus.

[1]
[http://news.khan.co.kr/kh_news/khan_art_view.html?artid=2013...](http://news.khan.co.kr/kh_news/khan_art_view.html?artid=201304102221475&code=940202)
[Korean]

[2] <http://www.hani.co.kr/arti/economy/it/582269.html> [Korean]

[3] <http://www.hani.co.kr/arti/economy/it/579266.html> [Korean]

[4]
[http://news.mt.co.kr/mtview.php?no=2013040922225524474&V...](http://news.mt.co.kr/mtview.php?no=2013040922225524474&VRF)
[Korean]

UPDATE: More links.

ADDENDUM: In a previous comment [5], I argued that Ahnlab is an upstanding
company that is unlikely to be involved in malicious activities. Turns out one
of their products actually was exploited during the latest attack, though it
was not their flagship antivirus suite.

[5] <https://news.ycombinator.com/item?id=5407719>

~~~
kyllo
Thanks for the summary. From this, it does appear that they used an antivirus
update server as the attack vector.

And about SK's internet infrastructure--believe me, I know. I had an account
at Woori Bank when I lived in Korea. For internet banking authentication, they
gave me two different PIN numbers (one 4-digit and one 6-digit) and a scratch-
off card with a password matrix on it (at each login it would require me to
enter digits found in different positions on the card), in addition to
username/password and requiring me to install an AhnLab antivirus program, an
"anti-keylogger" program, and 2-3 ActiveX encryption programs.

I believe it was actually written in South Korean law until very recently that
browser security/encryption MUST be implemented in ActiveX, and HTTPS/SSL was
completely unheard of in Korea. I think these other authentication measures
were devised to make up for the weaknesses of the ActiveX encryption.

When I asked the bank rep why they had so many different authentication
measures, the response was, and I quote, "Because Chinese people do the fake
things."

~~~
kijin
The scratch-off card is a poor man's one-time password generator. In fact,
it's remarkably effective at preventing scammers from draining people's
accounts, as long as you're not stupid enough to take a photo of your card and
post it online (yeah, people do that). That little card is what prevents the
whole ActiveX fiasco from crumbling down like a house of cards, precisely
because it's so low-tech (i.e. requires physical access).

A lot of the other crap is understandable when you take into account the fact
that online banking was first introduced to Korea in the mid-1990s. HTTPS was
useless at the time because of U.S. export restrictions limiting it to 40
bits. Home-brewed ActiveX controls were used to implement 128-bit encryption.
Korea also decided to use public keys and X.509 client certificates to
identify people, way ahead of the rest of the world, but of course no browser
supported them so someone had to write custom software. After that, inertia
and regulatory capture allowed what was supposed to be a stopgap measure to
continue for another 15+ years, long after proper HTTPS became available in
every browser.

The only benefit I can think of is that Koreans don't have to worry about
those stupid password restrictions that a lot of American banks impose on
their customers :)

------
kcorbitt
There is no way in the world that North Korea developed the expertise to
affect this kind of attack in-house, even if it is a relatively simple piece
of malware.

My guess is that the Chinese have been supporting them in a limited way. China
doesn't really have a motivation to encourage North Korea's ridiculous antics
and belligerent behavior of late, but it does have a great deal of interest in
testing out its own cyber-attack vectors on real-world targets. If they were
to directly attack the computers of another nation themselves the world will
go into an uproar and their trade will suffer. On the other hand, if North
Korea does it we've gotten to the point, collectively, where we don't do much
more than roll our eyes and shrug it off. It's a bit like when the Gemans
decided to test tank warfare by getting involved in the Spanish Civil War.

~~~
EliRivers
Unless they, you know, have internet access, some hardware to play around with
and the ability to read.

~~~
jmsduran
It is more likely that an elite group in Pyongyang has internet and computer
access, with a subset of that group given more privileges to engineer & deploy
malware/etc.

Given that though, I find it rather hard to believe the North Korean
government could pull off a cyber-attack like this all by themselves,
especially when you take into account the effect of international sanctions
and the North's very outdated technology (I remember reading they still use a
1960's crank-phone for communication through the DMZ).

My best bet is that the Chinese government gave them significant assistance in
launching this attack.

~~~
EliRivers
Outdated technology like this?
[http://timenewsfeed.files.wordpress.com/2013/01/computers.jp...](http://timenewsfeed.files.wordpress.com/2013/01/computers.jpg)

DPRK has modern computers. DPRK has internet connections. It has smart people
who did well in maths class and know how to program. It has very tight control
on all of this, but it has it. Hell, if they needed some more off the shelf
PCs, they could just wander across the border into China and buy some; the
train crossing into Dandong was full of DPRK citizens going into China.

------
ihsw
I was going to make a snide comment about South Koreans using Internet
Explorer 6, but apparently usage is way down.

<http://www.ie6countdown.com/>

~~~
kijin
Doesn't really matter, because all the important stuff (like online banking
and virtually all government business) still relies on ActiveX controls that
were developed in the IE5 days. You can upgrade everyone to IE10 but it won't
help because the ActiveX controls are still there.

