Yesterday's attacks on South Korean banks and broadcasters are more likely to be the work of hacktivists than state-sponsored adversaries.
According to a blog post by Beau Woods at Stratigos Security, who watched events unfold, fingers were originally pointed at North Korea for the attacks that affected ATM networks and internal issues that wiped computers, removed data and prevented them from coming back online. However he said that hackers were able to install malicious software on the computers and suspected that the attack may be related to suspicious files discovered last week.
Evidence pointed to a hacking group called ‘Whois Team', whose website claimed to have stolen all the information and deleted it from the computers.
The blog said that rather than a targeted attack, advanced persistent threat or distributed denial-of-service (DDoS) attack, the techniques were not all that advanced as "truly advanced attackers typically do not destroy the assets they have taken control of within a week of breaking in".
Woods said: “This was not North Korea. Several reports have suggested that this attack was carried out by North Korea. We suspect that this is not the case. The value to North Korea is not in shutting the systems down, but in gaining intelligence from them. And if the attack were their doing, then the 'skull' website would either be unrelated or a false flag.
“That doesn't seem likely. Instead, we believe that this attack was carried out by a group of amateur hackers. The word HASTATI, however, may be a sign that this activity is a military action but it seems implausible that North Koreans would use a Roman term, given their level of nationalism.”
In agreement was Kaspersky Lab, who captured screenshots. It said that if a nation state is not behind these attacks, then it is just cyber terrorism. “Obviously, the attacks were designed to be 'loud' - the victims are broadcasting companies and banks. This makes us think we are not dealing with a serious, determined adversary but script kiddies or hacktivists looking for quick fame,” it said.
Wieland Alge, vice president and general manager EMEA at Barracuda Networks, said: “Investigations into suspected cyber attacks on broadcasters and banks in South Korea reflects the realisation that cyber attacks are becoming more and more frequent.
“The gangs behind them are improving their exploitation tactics greatly, whether to display pop-up advertisements, install spyware to spy on users' web browsing habits or insert Trojans.
“Any critical infrastructures are in constant danger of being targeted too. Private and publicly owned businesses alike need to have a clear and immediate understanding of the threat situation in order to develop countermeasures to protect themselves from falling prey to the same kind of attack.”