It would seem that Korea is on the offensive with some compelling evidence of a planned cyber attack concentrated on Russian targets this week. This comes on the heels on North Korea’s rocket launch, which has been publicly scrutinized in the international community as a chest-thumping display rather than a celebration of technological achievement. It is unclear as to whether the cyber attack originated from North or South Korea at this time, says FireEye, the security organization responsible for breaking the news.
A breakdown of the functionality of the attack is as follows:
An Email phishing approach is used with a malicious attachment(MSWord file) who’s macros drop executables and .dlls, that when used in tandem causes lapses in AV detection. Using a Korean message board and a Korean Yahoo! mail server, a Command and Control(CnC) mechanism is enabled. This begins the extraction process, further exploiting the MS Office vulnerability to the point of sending confidentials data to a public message board in very plain view.
Further investigation showed that the majority of the targets included personnel from Russia’s Space Science Internet Division and the ITAR-TASS State Enterprise, while other targets were from Anti-Virus companies. Between the Korean mail servers and fonts used, the attacker in question utilized native message boards often and created a Korean Wikipedia page to boot.
According to FireEye, the servers were still up and gathering information, so a full analysis has yet to come.