Research sheds light on Dark Seoul sabotage gang

By on
Research sheds light on Dark Seoul sabotage gang

South Korea and US corporations targeted.

Over the past four years a politically motivated group has targeted South Korean organisations by planting trojans capable of wiping data, shuttering websites through distributed denial-of-service attacks and stealing sensitive corporate information.

The Dark Seoul gang targeted South Korean banks and news organisations in March with attacks including the Jokra trojan which targeted Linux machines and overwrote master boot records.

Symantec researchers found the group used the Castov downloader to target South Korean financial institutions in May and a government server this week.

The downloader dropped malware that levied DDoS attacks against the server and stole data from banks in the country.

Symantec has not determined the location of the Dark Seoul gang but believed campaigns were politically motivated due to the theme of messages used to overwrite files.

The US was targeted in 4 July 2009 under attacks using the Dozer trojan.

On Tuesday, the 63rd anniversary of the start of the Korean War, the Castov trojan was used to DDoS South Korean government websites.

Symantec Security Response operations manager Liam O'Murchu said the attacks have demonstrated a high level of coordination, and that Dark Seoul sought to spy on their targets prior to sabotaging data and operations.

“The attacks are quite organised and they do drop backdoors as part of the attacks,” O'Murchu said.

“I believe they do this so they can analyse the best way to damage [organisations]. Then they'll try to abuse their systems to distribute malware."

O'Murchu said attackers have followed a pattern over the years where they determine a company's patching schedule, then use a tool that the administrator would use to patch systems, but instead utilise it to distribute malware.

“They look to see how that company distributes their patches, so they can send the malware to every computer in the business and wipe them all in the same day,” O'Murchu said. Saboteurs have also stolen administrators' login credentials to distribute trojans, he added

On Thursday, Symantec also reported about a wiper trojan called Korhigh, which was recently used by a separate, unidentified group to delete computer files and overwrite data on the master boot record of South Korean organisations.

O'Murchu said that the success of groups like Dark Seoul have encouraged other hackers with enough resources to opt for campaigns that sabotage companies' operations, as opposed to merely stealing user credentials to carry out fraud.

“People has seen other threats doing this and realised you can cause a lot of damage by wiping data or [carrying out] denial-of-service,” O'Murchu said.

“In the last couple of years, we've seen multiple groups that are causing high impact damage.”

This article originally appeared at

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition

Most Read Articles

Log In

  |  Forgot your password?