A destructive piece of malware, similar in function to the program used to delete data on tens of thousands of computers at a Middle Eastern oil conglomerate, caused widespread outages March 19 at major businesses in South Korea, IT security firms confirmed on March 20.
The malware, dubbed “Jokra” by security firm Symantec, wipes all data from any hard drive connected to an infected computer—a tactic similar to the August 2012 attacks on oil giant Saudi Aramco that was reportedly carried out by Iran and referred to by U.S. Defense Secretary Leon Panetta as “the most destructive attack that the private sector has seen to date.”
The Jokra attack deletes data on hard drives and has reportedly caused network outages at major banks and broadcasters, Symantec said in a brief analysis of the malware.
The destructive actions of the malware narrow down the lists of suspects responsible for the attack, said Liam O Murchu, manager of security response operations of Symantec’s North American operations.
“There is no particular benefit to be gained from wiping hard drives,” he said. “If they were stealing information, such as credit-card information or intellectual property, then you could understand there were some benefits beyond just destruction.” However, in this case it appeared the goal of the attack was to be disruptive so its objective was to computers offline, O Murchu said.
The most obvious suspicions fall on North Korea, which blamed the United States and South Korea for a network outage that took the country intermittently offline for two days the week of March 11.
The latest attack caused visible network outages at major Korean corporations, including the Korea Broadcasting System, Yonhap News Network, Shinhan Bank and the Korea Gas Corp. according to data published by Internet monitoring service Renesys.
“It is impossible to know from connectivity measurements alone whether these outages were the direct result of cyber-attacks,” Doug Madory, senior research engineer with Renesys, stated in a blog post. “However, given the recent rhetoric between these two nations, it is hard not to see these as ominous developments on the Korean peninsula.”
The outages could easily be a side effect of the massive damage caused by Jokra. Starting with the master boot record—a critical sector that contains important information on the logical structure of the drive—the malware overwrites an infected system’s hard disk using either the word “HASTATI” or “PRINCPES ,” according to Symantec.
Both are terms—or suggestive of terms—from military history. Hastati are the poor or young inexperienced men who fight in the first rank of early Roman legions, while Principes were wealthier men in their prime who fought in the second rank using heavier arms and better armor, according to Wikipedia.
The term Hastati also appeared in the recent Halo movie, Forward Unto Dawn, referring to a specific squad of cadets. Considering South Korea’s history of electronic gaming and game-related hacking, the use of the term could suggest an alternative theory as to the motives behind the attack.
“A lot of gamers have these sort of more destructive tendencies, where they will boot you from a game and it’s not seen as such a big deal,” O Murchu said. “So it could be that someone annoyed the attackers and they are getting back at them.”
Yet, such an explanation would likely be supported by other evidence connecting the attack to the Korean gaming scene, he said.
Recently, the military and U.S. intelligence community ranked cyber-attacks as potentially more significant than the threat of terrorism. With the diplomatic situation heating up on the Korean peninsula over attacks in the digital realm, those assertions appear to have been borne out.
A Pentagon spokesman, Lt. Col. Damien Pickart, made it clear in a statement to Bloomberg that the United States considers such attacks serious.
“The United States has a strong and enduring alliance with the Republic of Korea and is firmly committed to the defense of Korea in any domain—to include cyberspace,” Pickart said in a statement emailed to the news agency.