South Korean Banks and Broadcasting Organizations Suffer Major Damage from Cyber Attack

It has been reported in the media that several South Korean banks and local broadcasting organizations have been impacted by a cyber attack.

The attack included the defacement of a Korean ISP/telecoms provider and also the crippling of servers belonging to a number of organizations.

The defacement displays an elaborate animated Web page with sound effects, showing three skulls and included a message by the claimed attackers calling themselves the “Whois” team.

The attack was first noticed when a number of websites began to experience problems. Customers of banks could not access their online accounts and reports of other sites being down began to surface. While specific details are not known at this time, it has been reported that a number of sites affected had their hard drives wiped leaving the affected computers in a crippled state.

Symantec detects the suspected malware as Trojan Horse/Trojan.Jokra and WS.Reputation.1.

We are currently performing detailed analysis of the threat. At this time, we can confirm that the malware performs the following actions:

  • Creates a file mapping object to reference itself using the name: JO840112-CRAS8468-11150923-PCI8273V
  • Ends two processes relating to local antivirus/security product vendors:
    • pasvc.exe
    • clisvc.exe
  • Enumerates all drives and begins to overwrite MBR and any data stored on it by writing either the string “PRINCIPES” or “HASTATI.” (note the period (.) at the end of the string). This will wipe all contents of the hard disk.
  • The threat may also attempt to perform the same wiping actions on any drives attached or mapped to the compromised computer.
  • Forces the computer to restart by executing "shutdown -r -t 0” which renders the computer unusable as the MBR and the content of the drive are now missing.

The results of the disk wiping actions are consistent with the major outages reported in that region. Disk wiping is not a new activity; in a separate incident in August 2012, a number of middle eastern organizations were hit by the W32.Disttrack (Shamoon) threat that caused similar damage by wiping hard disks.  

There are currently no indications of the source of this attack or how the attackers infiltrated the affected parties. The real motives of the attack are also unclear but in recent times there has been a ramping up of political tensions in the Korean peninsula and these attacks may be part of either a clandestine attack or the work of nationalistic hacktivists taking issues into their own hands.

Symantec will publish further information as it becomes available.