Cyber Espionage News: Possible Korean Espionage Attack

BSOD

It would seem that Korea is on the offensive with some compelling evidence of a planned cyber attack concentrated on Russian targets this week. This comes on the heels on North Korea’s rocket launch, which has been publicly scrutinized in the international community as a chest-thumping display rather than a celebration of technological achievement. It is unclear as to whether the cyber attack originated from North or South Korea at this time, says FireEye, the security organization responsible for breaking the news.

A breakdown of the functionality of the attack is as follows:

An Email phishing approach is used with a malicious attachment(MSWord file) who’s macros drop executables and .dlls, that when used in tandem causes lapses in AV detection. Using a Korean message board and a Korean Yahoo! mail server, a Command and Control(CnC) mechanism is enabled. This begins the extraction process, further exploiting the MS Office vulnerability to the point of sending confidentials data to a public message board in very plain view.

Further investigation showed that the majority of the targets included personnel from Russia’s Space Science Internet Division and the ITAR-TASS State Enterprise, while other targets were from Anti-Virus companies. Between the Korean mail servers and fonts used, the attacker in question utilized native message boards often and created a Korean Wikipedia page to boot.

According to FireEye, the servers were still up and gathering information, so a full analysis has yet to come.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s