Analyzing Motive Behind South Korean AttackDestruction, Not Financial Gain, Seen as Cyber-attack's Aim
Recent cyber-attacks against South Korean banks and broadcasters highlight a growing trend of more aggressive attacks aimed at destroying computer systems inside organizations.
In late March, cyber-attackers took aim at Shinhan Bank and NongHyup Bank, as well as TV broadcasters YTN, MBC and KBS. Using a more destructive form of malware, attackers disrupted services at the two banks. Employee computers and servers at the TV networks were disabled.
Vincent Weafer, McAfee Labs' senior vice president, says these events place a spotlight on an atypical type of malware that's meant to make its presence known and leave a mark.
"The malware attack tried to destroy and destruct the computer systems inside these organizations," Weafer says in an interview with Information Security Media Group [transcript below].
"[It] did so by means of attacking what we call the master boot record, the system which really gives instructions for how to boot up the machine and how to get access to files," he says. "The net result of that attack is many systems were rendered inoperable, and therefore many services were disrupted."
For organizations trying to pull lessons from these attacks, Weafer says the most important proactive measure is ensuring systems can be restored quickly in the event of an attack. "How quickly can you restore your critical data if you are attacked or something occurs?" he asks. "That's absolutely a lesson to be learned here."
In the interview, Weafer:
- Contrasts distributed-denial-of-service attacks with the type of destructive assault seen in South Korea;
- Explains why it's important to understand attackers' motives;
- Provides steps organizations should take to protect themselves from malware attacks.
Weafer manages hundreds of researchers across 30 countries at the IT security company. Before joining McAfee, he led IT security provider Symantec's security response team for 11 years. Dublin City University awarded Weafer a bachelor's degree in electronic engineering.
South Korea Attacks
ERIC CHABROW: Please take a few moments to characterize the attack.
VINCENT WEAFER: What's happened was we saw a malware attack occurring in South Korea. It targeted some of the largest banks and broadcasters in South Korea. Essentially it was a malware attack. This malware attack tried to destroy and destruct the computer systems inside these organizations, and did so by means of attacking what we call the master boot record, the system which really gives instructions for how to boot up the machine and how to get access to files. The net result of that attack is many systems were rendered inoperable and therefore many services were disrupted.
This attack is very unusual. Most malware we talk about on a daily basis are financially motivated or going after your identity and your information. They're designed to be stealthy and silent. They don't want to be seen and they want to stay on your system for as long as possible. Here, we have the complete opposite. This is designed to be seen and heard so therefore you look at a different motivation, but the lessons here would be for all the users, which is to make sure a machine is backed up. How quickly can you recover? If you've detected any malware attack, clearly you want to make sure your information is protected and the services are able to continue going on a regular basis. Recovery and the ability to respond are very important.
Unusual Type of Attack
CHABROW: You're saying the motivation is different from other kinds of malware attacks. How unusual are these kinds of attacks?
WEAFER: These types are very unusual in the context of data destruction. If we look back over the last couple of years, productively we've seen many of these involved in the attacks against South Korea. In 2009, we had the July 4 denial-of-service attacks where the botnets self-destructed using a similar technique. In 2011, we had an attack called "10 Days of Rain," which again had a self-destruction mechanism. Last year in August, we had this new virus in the Middle East which did data destruction, but these are really the exceptions compared to the normal rule of malware, which is designed to be stealthy, unseen and unheard until they actually extract what they're looking for, which is money or identity.
CHABROW: Should the defenses for this type of malware be different from the other types?
WEAFER: In general, the best protection you would use in terms of securing your systems, making sure they're backed up, making sure they're available, making sure you've got all offline back-ups would be the same against all malware cyber-attacks. However, in this case, since purely what they're looking to do is disrupt the services and destroy the data, you really do need to make sure that you can restore your systems quickly. In this case, these were banking and media services, but if they were home users the same thing would apply, which is: how quickly can you restore your critical data if you are attacked or something occurs? That's absolutely a lesson to be learned here.
Understanding Attackers' Motives
CHABROW: Is understanding the motive of an attacker important in developing a defense?
WEAFER: Understanding the attackers' motive is very important for people like ourselves because we're looking at not just the tools used by the attackers, but their motivation. Why are they going after certain people? What information are they looking for? In the last number of years, we've seen a lot of attacks going after intellectual property, business plans and information, and that really drives the security strategy used by enterprise users and companies, how they protect what information they're trying to secure. It certainly changes the security landscape. We've gone from the old anti-malware models, behavioral/reputation analysis and situational security. It really does evolve both the protection, as well as the strategy used for protection.
CHABROW: We're speaking a couple of days after this attack came to light. There's suspicion on the North Korean government, although I don't think there's any definitive proof of that yet. However, we're seeing more attacks that seem to be coming from countries with political motivations. What does that say about the threat environment?
WEAFER: We're absolutely seeing more and more attacks coming from what we call nation-states versus say criminal groups and activities. The tools they are using are very similar. In fact, the analogy we would use is: the criminals are creating the tools, the sophistication, the root kits and the tool kits that are used by many types of actors, nation states being just one example of the types of actors out there. It really shows that the complexity and the aggression that we're seeing on a daily basis is going to exponentially build over the next decade, and it really does mean that security and protection of our important infrastructure methods has gone beyond simply important to absolutely critical for our infrastructure and our protection.
More of a Nuisance?
CHABROW: The kinds of attacks that we saw in South Korea, and maybe even the DDoS attacks we see here in the U.S. against banks - are they more a nuisance at this moment? Can they swell into something much larger?
WEAFER: In general, DDoS attacks are seen to be more of an annoyance. They take a lot of time and energy to respond to them. The defenses cost time and money, but in general it rarely takes down a business or cripples an area. People have learned over the last decade how to deal with them. These types of attacks that we saw in South Korea, where you see self-destruction, where they completely wipe-out the master boot record and the filing system, and we saw this August in the Middle East are far more destructive. They take more time to respond to and recover after the attacks, so certainly that would be a ratcheting up of the impact of the attacks as compared to a DDoS. As soon as it's over, you're almost back to business as quickly as possible.
CHABROW: Any final thoughts?
WEAFER: In general, what we're seeing here is a continuation of the evolution of the threat landscape. For people listening in security thinking about their protection, what they do in terms of making sure their systems are secure, patches are updated, and making sure they're not going down the dark alleys of the Internet, all of those best practices apply here against these types of attacks versus the others.
Secondly, make sure you're thinking about the non-PC devices. In this case, some UNIX systems were actually also targeted as well, but of course we're increasingly seeing attacks against Android devices and other types of tablets. The lesson here is it's not just protecting say a PC, but making sure all of your computing assets and all of your data is protected to the best of your ability.