SANS ISC: Untangling the News from South Korea

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

The morning has brought a lot of links pointing to a number of different computer security incidents coming out of South Korea.  It certainly sounds like the end of the world if you lump all together and attribute them to a single actor.  However I don't think that is case.

Sifting through them I can tease out what appear to be 4 different threads to the story.  In no particular order I have seen:

• A reported DDoS that hasn't identified the targets, or when it started or when it ended or what the impact was.
• Kaspersky reports of some web defacements here: http://www.securelist.com/en/blog/208194183/South_Korean_Whois_Team_attacks
• There were some news sites that were defaced to redirect visitors to install some banking malware that targeted Korean banks: http://blog.avast.com/2013/03/19/analysis-of-chinese-attack-against-korean-banks/
• There's reports that a lot of machines had their hard drives wiped and analysis was released today: http://training.nshc.net/KOR/Document/virus/2-20130320_320CyberTerrorIncidentResponseReportbyRedAlert.pdf

I'd like to urge readers to not link these 4 events together without additional analysis.  Kaspersky linked the defacement with the wiper malware, despite this same warning being present in the news article that they linked to (I still heart you guys though.)  The timelines on these events are still not clear, and the methods indicate different actors and motivations to me.