McAfee, the Internet security company owned by Intel, has a research lab that just put out a report covering four years of hacking attacks aimed at South Korea. What previously appeared to be isolated attacks on media, banks, and government websites, many of them detailed here and in the report, are instead part of an ongoing 2009-2013 espionage campaign targeting military forces in South Korea in order to extract classified information. Targets included information on U.S. military forces and their operations in the South.
Through examining the evolving code used in the attacks, McAfee Labs found the attacks on South Korean banks, media, universities, elections, government, and other websites shared common source code, one encryption password, similar use of IRC botnets, consistent terminology, and a target set of military keywords. The report, on page 22, even lists the (somewhat poorly translated) Korean keywords used to target military operations in South Korea, including by U.S. forces.
Rather than a separate group of incidents targeting South Korea, which the South’s government, after conducting investigations, has attributed to the North, McAfee Labs is arguing that the incidents are all part of one, “secret, long-term campaign.” A campaign that reveals an adversary, “attempting to spy on and disrupt South Korea’s military and government activities.”
The McAfee report does not explicitly blame any particular country for the attacks, but makes the case that the attacks have been conducted by the same organization, taking the same measures against the same sites in an ongoing, state-level espionage operation. Investigating the same incidents separately, the South has laid official blame for the attacks on the North. If the South’s researchers haven’t already figured out what’s in the McAfee report, its findings will likely play a role in relations between the two Koreas very shortly.