 |
| McAfee said the malware contained code designed to hunt out military-related terms |
Hackers who wiped tens
of thousands of PC hard drives in South Korea earlier this year also appear to
be targeting the country's military secrets, according to a report.
A study by McAfee Labs
said the group has created malware which scanned systems for keywords including
"weapon", "US Army" and "secret".
It said that once a
computer's contents had been catalogued, the attackers could "grab
documents at will".
South Korea has played
down the threat.
Its defence ministry
told the Associated Press news agency that it was technically impossible to
have lost classified reports because the computers on which it stored military
secrets were not connected to the net.
A spokesman for the
Pentagon said it planned to review the report.
Social network
McAfee said the attacks
were part of a long-term spying operation dating back to at least 2009 which it
called Operation Troy because the name of the ancient city repeatedly appeared
in the hackers' code.
It began investigating
the group following an attack in March which caused data held on PCs used by
several banks and TV networks to be deleted.
Although the security
firm said that the malware used to wipe the disks was distinct from that used
to hunt for the military secrets, it said there were so many similarities
between the two that it believed they must be created by the same team.
It traced the spying
effort back to at least 2009 when it said the hackers managed to place an
exploit on a military social networking site. It added that it believed the
code was also spread through the use of "spear phishing" - email or
other messages masquerading as official communications which were designed to
fool specific individuals into handing over logins and other sensitive
information.
The report said that
once the malware was in place it searched the infected systems for
"interesting" documents.
To do this it scanned
for a variety of Korean and English-language keywords.
The study lists dozens
of examples including "tactics", "brigade",
"logistics" and "Operation Key Resolve" - a military
exercise involving both South Korean and US forces carried out every year.
McAfee said it had opted to withhold other "sensitive" terms at the
request of US officials.
The report explained
the software then flagged which computers appeared to have the most valuable
contents and uploaded copies of their directories to the attackers' servers.
It said the hackers
were then able to pick and choose which files to download in order to keep
network traffic to a minimum, helping them avoid detection.
McAfee also warned that
it had discovered a version of the spying malware which had the ability to
destroy data in a way similar to the one used against the civilian targets.
"This capability
could be devastating if military networks were to suddenly be wiped after an
adversary had gathered intelligence," it said.
"There was at
least one limitation, however. We found the malware of February 2011 could wipe
its targets only if it was detected that it was being debugged or analysed by a
security product."
Wiper function
A spokesman for South
Korea's government denied classified documents would have been at risk since
the computer network that stored them was not connected to the net.
"It's physically
separated," said Kim Min-Seok.
However, one of the
report's authors suggested there was still a risk.
"It is not
entirely impossible to extract information from a closed network that is
disconnected from the internet," said senior threat researcher Ryan
Sherstobitoff.
"[But] it would
require some extensive planning and understanding of the internal layout to
stage such an exfiltration [unauthorised data transfer] to the external
world."
The report does not
name who McAfee believes to be responsible, however South Korean officials have
previously said that the 20 March attack "resembled North Korea's past
hacking patterns".
0 Comments