Behind the South Korean Government DDoS Attacks

BERLIN–In the last few years, there have been a series of DDoS attacks and intrusions on government networks in South Korea that have resulted in the loss of untold amounts of data. The four attacks haven’t been linked together or attributed to the same attackers, but there are some similarities in the methods and results, a researcher said.

The attackers on South Korean government sites and banks date back to at least July 2009 and run up through an incident in June of this year. Not all of them were destructive, but some employed malware that wiped the master boot record of infected machines and rendered them unusable. Others were massive DDoS attacks directed against DNS servers or individual sites.

In one of the attacks, in March 2011, a malicious dropper was downloaded onto machines through a drive-by download. That dropper had a time bomb inside of it that instructed it to check the date and time and at a predetermined hour, downloads and executes a piece of malware. That component would then overwrite the MBR of the infected machine. There were two different wiper malware samples involved in the attack, said Christy Chung of Fortinet, one for Windows machines and other for Unix machines. In both cases, the MBR was wiped, rendering the machines unusable.

“The two wipers have similar behaviors,” Chung said during a talk at the Virus Bulletin 2013 conference here Thursday. “After the machine reboots, it shows that the operating system can’t be found because the MBR was overwritten.”

The attacks that occurred on June 25, 2013, used a different tactic, targeting two of the name servers used by some of the major South Korean government Web sites. In that case, the malware that infected the PCs used to attack the name servers had components that added registry keys and created services that enabled the malware to survive a reboot and remain on the system, Chung said. The two target DNS servers were hard-coded into the malware and at a pre-determined time the malware launched the DDoS attack on the servers. The effect as devastating.

“Many of the major Korean government sites were unavailable for some time,” Chung said.

Although there were some similarities in the malware used in the attacks, Chung said she’s not convinced that the same attackers were behind all of them.

“I don’t see that,” she said.

Suggested articles