Cyberattack on South Korea was part of 4-year spying campaign

McAfee releases a report saying that the massive March attack on banks and TV stations was part of an extensive campaign to steal government and military secrets.

Dara Kerr Former senior reporter
Dara Kerr was a senior reporter for CNET covering the on-demand economy and tech culture. She grew up in Colorado, went to school in New York City and can never remember how to pronounce gif.
Dara Kerr
2 min read

South Korea has been under a concerted cyberattack for the last four years, according to a comprehensive new report (PDF) released Monday by security firm McAfee. That means the hack that crippled three TV broadcasters and two banks in March was possibly just the tip of the iceberg.

What has been the goal of these hackers? To steal South Korean government and military secrets, according to McAfee.

"Our analysis of this attack -- known first as Dark Seoul and now as Operation Troy -- has revealed that in addition to the data losses of the MBR wiping, the incident was more than cybervandalism," McAfee's report reads. "The attacks on South Korean targets were actually the conclusion of a covert espionage campaign."

Initially, in March, it was revealed that servers in South Korea were victims of a massive coordinated attack that erased data from tens of thousands of computers. At first, the government blamed China for the hack, and then pointed the finger at North Korea.

According to McAfee, it's still not clear who was behind the stunt. But, the security firm has garnered far more information about the attackers and their methods.

Dubbing the hacking campaign "Operation Troy," McAfee says the attacks were a coordinated effort between two groups called the "Whois Team" and the "NewRomanic Cyber Army Team." It's possible, McAfee says, that these two teams may have been working for the same leadership.

The malware used in Operation Troy included two Trojans and a wiper that installed themselves on users' computers via file transfers from online bulletin boards and discussion forums. According to McAfee, once the malware was installed, it could spy on users' computers and then destroy the hard drive.

"McAfee Labs can connect the Dark Seoul and other government attacks to a secret, long-term campaign that reveals the true intention of the Dark Seoul adversaries: attempting to spy on and disrupt South Korea's military and government activities," the report reads. "From our analysis we have established that Operation Troy had a focus from the beginning to gather intelligence on South Korean military targets."