Cisco Logo


The attacks against South Korean media and banking organizations last week severely disrupted a handful of organizations with a coordinated distribution of “wiper” malware designed to destroy data on hard drives and render them unbootable. At 14:00 KST on March 20, 2013, the wiper was triggered across three media organizations and four banks, setting off a firestorm of speculation and finger-pointing and that which continues as of this writing. In this post, I’ll share a perspective no one else seems to be talking about, but may be the real motivation behind these attacks.

The What and the Possible Why

Let’s start with what we know:

While the “what” of the attack is well established, the “why” and “how” are still a matter of debate. Theories postulated include an outright act of warfare from North Korea designed to economically disrupt South Korea, or an act of sabotage to cover the tracks of data exfiltration allegedly wrought by China. But what if there were an explanation that was less about countries and politics and more about that all-time motivator of crime: money? Consider, if you will, the following timeline.

Coincidentally, one of the malware binaries identified in the DarkSeoul attacks is a banking Trojan that specifically targets customers of these same Korean banks. In the days leading up to the payload, antivirus vendor Avast observed a malicious injection attempting to deliver this same binary via a compromised website registered to the Korea Software Property Rights Council ( Cisco Web Security traffic logs reveal that the website registered to Daewoong Pharmaceutical ( was similarly compromised. Both sites were injected with iframes that attempted to deliver exploit code from the same attack site: The resulting scripts attempted to exploit a vulnerability in Microsoft XML core services, described in MS12-043.

Based on the initial reports, we found no indication that customers protected by Cisco security products were compromised by the suggested first-stage web and email attacks. In fact, we found only a handful of events in the SIO dataset that relate to the malicious domains or first stage exploitation. As well, we have evidence that no exploit was delivered in some instances: the attack attempts against Cisco customers stopped at the iframe. Given this supporting data in our traffic logs, the Cisco Threat Research & Communications (TRAC) team supports the premise that these attacks were highly targeted.

Efficacy of Layered Defenses

Additionally, details about the second stage malware, which delivered follow-on tools for further exploitation (colloquially known as a “dropper”), highlight the attacker’s awareness and specific reconnaissance against their targets. In McAfee’s blog about the incident, they show that the malware disabled two popular Korean host-based antivirus engines, AhnLab and Hauri. Attackers often leverage techniques to avoid or disable specific defenses, further underscoring the need for defenders to present a variety of overlapping solutions to increase pressure on attackers and make it more likely that they are prevented from fully realizing their intended attacks.

While no Cisco Security Customers were impacted in this particular attack, what Cisco knows of the first-stage exploits suggests that Cisco had a wide variety of protections in place to stop these attacks had they been targeted: web reputation, email outbreak filters, IPS signatures, and more. Any time an attacker is using reconnaissance, specifically to target an organization or set of organizations, every additional layer is a hurdle that must be jumped and could make the difference from being a target to being a victim.

Importance of Data Sharing

There is a renewed push for data sharing and transparency in the industry, and incidents like this one highlight how important this sharing is to the entire community of defenders. Cisco SIO pools the intelligence and capabilities of a wide suite of security solutions to deliver an unparalleled perspective to our customers, and customers who opt-in to providing us with telemetry further improve the efficacy of Cisco security products for each other.

Likewise, as a community of defenders we can share details in the appropriate settings to promote more effective responses to imminent, in progress, or executed attacks. Some details can be shared widely, like the indicators included in the anti-virus vendor postings mentioned previously; Cisco has been a member of FIRST for many years, because it provides a more focused forum to connect with other incident responders if more discretion is required. But as a community, we must understand that sharing is a critically important leverage that we can exert over attackers who direct their resources at specific targets, with the advantage of specific reconnaissance. Even if an attack is targeted at one organization today, it doesn’t mean that the same attacker won’t reuse the kinds of exploits or techniques against another set of targets in the future.


Customers protected by Cisco security products were well protected, or would have been had they been targeted in these attacks, due to the deep and varied protections that our solutions have in place. But there is a significant benefit for all defenders if data-sharing is combined with community efforts to improve these kinds of comprehensive defenses. Together, layered defenses and effective sharing are key capabilities that are essential to combating increasingly targeted attacks.

Comments Are Closed

  1. Return to Countries/Regions
  2. Return to Home
  1. All Security
  2. All Security
  3. Return to Home