Next Score View the next score

    Cyber-spying ring targeted South Korean, US military

    Culprits infiltrate firms for secrets

    Simon Choi, a South Korean cybersecurity researcher, says he found malware dating back to 2007.
    Ahn Young-joon/Associated Press
    Simon Choi, a South Korean cybersecurity researcher, says he found malware dating back to 2007.

    SEOUL — The hackers who knocked out tens of thousands of South Korean computers simultaneously this year are out to do far more than erase hard drives, cybersecurity firms say, they also are trying to steal South Korean and US military secrets with a malicious set of codes they have been sending through the Internet for years.

    The hackers’ identities and the value of any information they have acquired are not known to US and South Korean researchers who have studied line after line of computer code. But they do not dispute South Korean claims that North Korea is responsible, and other experts say the links to military spying add fuel to Seoul’s allegations.

    Researchers at California-based McAfee Labs said the malware was designed to find and upload information referring to US forces in South Korea, joint exercises, and even the word ‘‘secret.’’


    McAfee said versions of the malware have infected many websites in an ongoing attack that it calls Operation Troy, because the code is peppered with references to the ancient city. McAfee said that in 2009, malware was implanted into a social media website used by military personnel in South Korea.

    Get Today's Headlines in your inbox:
    The day's top stories delivered every morning.
    Thank you for signing up! Sign up for more newsletters here

    ‘‘This goes deeper than anyone had understood to date, and it’s not just attacks: It’s military espionage,’’ said Ryan Sherstobitoff, a senior threat researcher at McAfee who gave the Associated Press a report the company is releasing later this week. He analyzed code samples shared by US government partners and private customers.

    McAfee found versions of the keyword-searching malware dating to 2009. A South Korean cybersecurity researcher, Simon Choi, found versions of the code as early as 2007, with keyword-searching capabilities added in 2008. It was made by the same people who launched prior cyberattacks in South Korea, Choi said.

    Versions of the code may still be trying to glean military secrets from infected computers. Sherstobitoff said the same coded fingerprints were found on an attack June 25 — the anniversary of the start of the 1950-53 Korean War — in which websites for South Korea’s president and prime minister were attacked.

    A day later the Pentagon said it was investigating reports that personal data about thousands of US troops in South Korea had been posted online.


    Sherstobitoff began his investigation after the March 20 cyberattack, known as the Dark Seoul Incident. It wiped clean tens of thousands of hard drives, including those belonging to three television networks and three banks in South Korea, disabling ATMs. South Korea says no military computers were affected by Dark Seoul.

    The code used in the shutdown is different from that used to hunt for military secrets, but they share so many characteristics that Sherstobitoff and Choi believe they were made by the same people.

    Sherstobitoff said those responsible for the spying had infected computers by ‘‘spear phishing’’ — targeted attacks that trick users into giving up sensitive information by posing as a trusted entity. The hackers hijacked about a dozen obscure Korean-language religious, social, and shopping websites.

    The McAfee expert said the hackers have targeted government networks with military information for at least four years, using code that automatically searches for dozens of military terms in Korean.

    The report does not identify the networks but does mention that in 2009, the code was used to infect a social media site used by military personnel living in South Korea.