One well-known gang of hackers contributed to cyberattacks on South Korea on Tuesday, which coincided with the 63rd anniversary of the start of the Korean War, according to analysis from Symantec.
The attacks on Tuesday disabled websites, including that of South Korean President Park Guen-hye. North Korea is frequently suspected of having a hand in the attacks, which have coincided with the anniversaries of significant historical events, but definitive attribution is difficult.
Symantec wrote some of the distributed denial-of-service (DDoS) attacks were likely conducted by a group named “DarkSeoul,” which has carried out destructive, high-profile campaigns against South Korea and the U.S. for at least four years.
DarkSeoul is also believed to have been behind the March 20 cyberattacks against South Korea that used Jokra. It is a piece of malware designed to overwrite a computer’s master boot record, which is the first sector of the computer’s hard drive that the computer checks before the operating system is booted. The attacks hit at least three television stations and four banks.
This time around, Symantec wrote that DarkSeoul seeded websites with “Castov,” a tampered version of a legitimate program called SimDisk.
SimDisk is a file-sharing and storage application, according to a writeup by Trend Micro. The SimDisk installer was modified to change the website the application uses to receive updates to a malicious one. The same infection technique was also used for another application called Songsari.
“We currently do not have exact details about the method of compromise, but this shows that users also need to be vigilant about the security of the auto-update mechanism of the vendors they choose to trust,” wrote Marco Dela Vega, a threats researcher with Trend.
Once it infects a machine, Castov downloads more components, even utilizing the TOR (The Onion Router) network. TOR is a worldwide network of servers that routes Web traffic with a high degree of anonymity through many servers and obscures a computer’s real IP (Internet Protocol) address.
“The attacks conducted by the DarkSeoul gang have required intelligence and coordination and in some cases have demonstrated technical sophistication,” Symantec wrote.
“Symantec expects the DarkSeoul attacks to continue and, regardless of whether the gang is working on behalf of North Korea or not, the attacks are both politically motivated and have the necessary financial support to continue acts of cybersabotage on organizations in South Korea.”